Joe Sandbox Cloud Basic Analysis Report
Create Interactive Tour

Windows Analysis Report ADRecon-KPMG.ps1

Overview

General Information

Sample Name:ADRecon-KPMG.ps1
Analysis ID:436762
MD5:6008e6c3deaa08fb420d5efd469590c6
SHA1:1c55b3e2c62932213a57ffb8a223fb2a52b4d170
SHA256:ac00dd7d54764e0389de434f3203c2a3384d2ffcc20615f40f09c4c0646c8d3f
Infos:

Most interesting Screenshot:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Opens network shares
Sigma detected: Suspicious Csc.exe Source File Folder
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • powershell.exe (PID: 6832 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -noLogo -ExecutionPolicy unrestricted -file 'C:\Users\user\Desktop\ADRecon-KPMG.ps1' MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 6848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • csc.exe (PID: 7120 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
      • cvtres.exe (PID: 4116 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES7143.tmp' 'c:\Users\user\AppData\Local\Temp\tfu5mvir\CSCED38EAF0BA2B44A19E4014561C643C3.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
    • csc.exe (PID: 2928 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
      • cvtres.exe (PID: 6228 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8066.tmp' 'c:\Users\user\AppData\Local\Temp\22kuy4qb\CSC73C42A17711C4AAFA64E46FCC8D6B36.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
    • csc.exe (PID: 6492 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
      • cvtres.exe (PID: 6452 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9074.tmp' 'c:\Users\user\AppData\Local\Temp\2hftzesj\CSC11820CB0636E4CAF90F043817D702019.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
    • csc.exe (PID: 5716 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
      • cvtres.exe (PID: 5688 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESABDB.tmp' 'c:\Users\user\AppData\Local\Temp\hmzbf4ad\CSCE214703DB10E47A0BDD59CF4E3CD48D.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Suspicious Csc.exe Source File Folder
Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -noLogo -ExecutionPolicy unrestricted -file 'C:\Users\user\Desktop\ADRecon-KPMG.ps1', ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6832, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.cmdline', ProcessId: 7120

Signature Overview

  • AV Detection
  • Compliance
  • Spreading
  • Networking
  • System Summary
  • Data Obfuscation
  • Persistence and Installation Behavior
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Anti Debugging
  • HIPS / PFW / Operating System Protection Evasion
  • Language, Device and Operating System Detection
  • Stealing of Sensitive Information

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.dllAvira: detection malicious, Label: HEUR/AGEN.1138338
Source: C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.dllAvira: detection malicious, Label: HEUR/AGEN.1138338
Source: Binary string: ement.Automation.pdbreP= source: powershell.exe, 00000000.00000002.697248073.000002D24268A000.00000004.00000020.sdmp
Source: Binary string: e.pdb| source: powershell.exe, 00000000.00000003.696098701.000002D25C7E5000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.DirectoryServices.pdb\u\ source: powershell.exe, 00000000.00000003.694667944.000002D25C6DC000.00000004.00000001.sdmp
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000004.00000002.657005540.00000290C1170000.00000002.00000001.sdmp, csc.exe, 00000007.00000002.665233699.000001B15B230000.00000002.00000001.sdmp, csc.exe, 0000000A.00000002.678774607.000001EF6AFB0000.00000002.00000001.sdmp, csc.exe, 0000000C.00000002.691833971.0000020A557B0000.00000002.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.pdbXP source: powershell.exe, 00000000.00000002.701443333.000002D245066000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.pdb source: powershell.exe, 00000000.00000002.701443333.000002D245066000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000003.694999294.000002D25C755000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.pdb source: powershell.exe, 00000000.00000002.701654895.000002D24520C000.00000004.00000001.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000003.694999294.000002D25C755000.00000004.00000001.sdmp
Source: Binary string: \2b.pdb source: powershell.exe, 00000000.00000003.694836548.000002D25C733000.00000004.00000001.sdmp
Source: Binary string: System.DirectoryServices.pdb source: powershell.exe, 00000000.00000003.696098701.000002D25C7E5000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.pdbd source: powershell.exe, 00000000.00000003.694999294.000002D25C755000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\System.Core.pdb source: powershell.exe, 00000000.00000003.694999294.000002D25C755000.00000004.00000001.sdmp
Source: Binary string: adows\System.Core.pdb source: powershell.exe, 00000000.00000002.706309325.000002D25C7B6000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.pdbXP source: powershell.exe, 00000000.00000002.701535735.000002D245138000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.pdbXP source: powershell.exe, 00000000.00000002.701443333.000002D245066000.00000004.00000001.sdmp
Source: Binary string: d.pdb source: powershell.exe, 00000000.00000003.694999294.000002D25C755000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.pdb source: powershell.exe, 00000000.00000002.701443333.000002D245066000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.pdb source: powershell.exe, 00000000.00000002.701513748.000002D245116000.00000004.00000001.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F4 source: powershell.exe, 00000000.00000003.694999294.000002D25C755000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.pdbXP source: powershell.exe, 00000000.00000002.701654895.000002D24520C000.00000004.00000001.sdmp
Source: Binary string: re.pdb source: powershell.exe, 00000000.00000003.694999294.000002D25C755000.00000004.00000001.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: powershell.exe, 00000000.00000002.706058883.000002D25C55A000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000000.00000002.706464108.000002D25CAA8000.00000004.00000001.sdmpString found in binary or memory: http://crl.m-Z
Source: powershell.exe, 00000000.00000002.706464108.000002D25CAA8000.00000004.00000001.sdmpString found in binary or memory: http://crl.micr
Source: powershell.exe, 00000000.00000003.696345714.000002D25C5B3000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1String found in binary or memory: http://dmcritchie.mvps.org/excel/colors.htm
Source: powershell.exe, 00000000.00000003.649772237.000002D254968000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.698312596.000002D24471F000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.698105161.000002D244511000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.698312596.000002D24471F000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1String found in binary or memory: http://www.excelhowto.com/macros/formatting-a-range-of-cells-in-excel-vba/
Source: powershell.exe, 00000000.00000002.698312596.000002D24471F000.00000004.00000001.sdmp, powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1String found in binary or memory: https://acsc.gov.au/infosec/ism/
Source: ADRecon-KPMG.ps1String found in binary or memory: https://adsecurity.org/?p=440
Source: powershell.exe, 00000000.00000003.649772237.000002D254968000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000003.649772237.000002D254968000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000003.649772237.000002D254968000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
Source: ADRecon-KPMG.ps1String found in binary or memory: https://github.com/BloodHoundAD/BloodHound/blob/master/PowerShell/BloodHound.ps1
Source: powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1String found in binary or memory: https://github.com/GoateePFE/GPLinkReport/blob/master/gPLinkReport.ps1
Source: powershell.exe, 00000000.00000002.698312596.000002D24471F000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: ADRecon-KPMG.ps1String found in binary or memory: https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
Source: powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1String found in binary or memory: https://github.com/kfosaaen/Get-LAPSPasswords/blob/master/Get-LAPSPasswords.ps1
Source: ADRecon-KPMG.ps1String found in binary or memory: https://github.com/sense-of-security/ADRecon
Source: powershell.exe, 00000000.00000002.698312596.000002D24471F000.00000004.00000001.sdmpString found in binary or memory: https://github.com/sense-of-security/ADReconpp_B
Source: powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1String found in binary or memory: https://github.com/vletoux/SmbScanner/blob/master/smbscanner.ps1
Source: powershell.exe, 00000000.00000002.705321526.000002D2460C6000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.705834814.000002D25482A000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: ADRecon-KPMG.ps1String found in binary or memory: https://raw.githubusercontent.com/mmessano/PowerShell/master/dns-dump.ps1
Source: powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1String found in binary or memory: https://tools.ietf.org/html/rfc4121#section-4.1)
Source: powershell.exe, 00000000.00000002.698312596.000002D24471F000.00000004.00000001.sdmp, powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1String found in binary or memory: https://www.cisecurity.org/benchmark/microsoft_windows_server/
Source: powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1String found in binary or memory: https://www.ibm.com/support/knowledgecenter/en/ssw_aix_71/com.ibm.aix.security/ad_password_attribute
Source: powershell.exe, 00000000.00000002.698312596.000002D24471F000.00000004.00000001.sdmp, powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1String found in binary or memory: https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss
Source: ADRecon-KPMG.ps1String found in binary or memory: https://www.senseofsecurity.com.au

System Summary:

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA35A80CD00_2_00007FFA35A80CD0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA35A820C80_2_00007FFA35A820C8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA35A80D300_2_00007FFA35A80D30
Source: 22kuy4qb.dll.7.drStatic PE information: No import functions for PE file found
Source: 2hftzesj.dll.10.drStatic PE information: No import functions for PE file found
Source: hmzbf4ad.dll.12.drStatic PE information: No import functions for PE file found
Source: tfu5mvir.dll.4.drStatic PE information: No import functions for PE file found
Source: classification engineClassification label: mal56.spyw.winPS1@18/34@0/0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20210618Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6848:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rorwv0kw.kes.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -noLogo -ExecutionPolicy unrestricted -file 'C:\Users\user\Desktop\ADRecon-KPMG.ps1'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES7143.tmp' 'c:\Users\user\AppData\Local\Temp\tfu5mvir\CSCED38EAF0BA2B44A19E4014561C643C3.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8066.tmp' 'c:\Users\user\AppData\Local\Temp\22kuy4qb\CSC73C42A17711C4AAFA64E46FCC8D6B36.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9074.tmp' 'c:\Users\user\AppData\Local\Temp\2hftzesj\CSC11820CB0636E4CAF90F043817D702019.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESABDB.tmp' 'c:\Users\user\AppData\Local\Temp\hmzbf4ad\CSCE214703DB10E47A0BDD59CF4E3CD48D.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.cmdline'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.cmdline'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.cmdline'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.cmdline'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES7143.tmp' 'c:\Users\user\AppData\Local\Temp\tfu5mvir\CSCED38EAF0BA2B44A19E4014561C643C3.TMP'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8066.tmp' 'c:\Users\user\AppData\Local\Temp\22kuy4qb\CSC73C42A17711C4AAFA64E46FCC8D6B36.TMP'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9074.tmp' 'c:\Users\user\AppData\Local\Temp\2hftzesj\CSC11820CB0636E4CAF90F043817D702019.TMP'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESABDB.tmp' 'c:\Users\user\AppData\Local\Temp\hmzbf4ad\CSCE214703DB10E47A0BDD59CF4E3CD48D.TMP'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: ement.Automation.pdbreP= source: powershell.exe, 00000000.00000002.697248073.000002D24268A000.00000004.00000020.sdmp
Source: Binary string: e.pdb| source: powershell.exe, 00000000.00000003.696098701.000002D25C7E5000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.DirectoryServices.pdb\u\ source: powershell.exe, 00000000.00000003.694667944.000002D25C6DC000.00000004.00000001.sdmp
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000004.00000002.657005540.00000290C1170000.00000002.00000001.sdmp, csc.exe, 00000007.00000002.665233699.000001B15B230000.00000002.00000001.sdmp, csc.exe, 0000000A.00000002.678774607.000001EF6AFB0000.00000002.00000001.sdmp, csc.exe, 0000000C.00000002.691833971.0000020A557B0000.00000002.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.pdbXP source: powershell.exe, 00000000.00000002.701443333.000002D245066000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.pdb source: powershell.exe, 00000000.00000002.701443333.000002D245066000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000003.694999294.000002D25C755000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.pdb source: powershell.exe, 00000000.00000002.701654895.000002D24520C000.00000004.00000001.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000003.694999294.000002D25C755000.00000004.00000001.sdmp
Source: Binary string: \2b.pdb source: powershell.exe, 00000000.00000003.694836548.000002D25C733000.00000004.00000001.sdmp
Source: Binary string: System.DirectoryServices.pdb source: powershell.exe, 00000000.00000003.696098701.000002D25C7E5000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.pdbd source: powershell.exe, 00000000.00000003.694999294.000002D25C755000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\System.Core.pdb source: powershell.exe, 00000000.00000003.694999294.000002D25C755000.00000004.00000001.sdmp
Source: Binary string: adows\System.Core.pdb source: powershell.exe, 00000000.00000002.706309325.000002D25C7B6000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.pdbXP source: powershell.exe, 00000000.00000002.701535735.000002D245138000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.pdbXP source: powershell.exe, 00000000.00000002.701443333.000002D245066000.00000004.00000001.sdmp
Source: Binary string: d.pdb source: powershell.exe, 00000000.00000003.694999294.000002D25C755000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.pdb source: powershell.exe, 00000000.00000002.701443333.000002D245066000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.pdb source: powershell.exe, 00000000.00000002.701513748.000002D245116000.00000004.00000001.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F4 source: powershell.exe, 00000000.00000003.694999294.000002D25C755000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.pdbXP source: powershell.exe, 00000000.00000002.701654895.000002D24520C000.00000004.00000001.sdmp
Source: Binary string: re.pdb source: powershell.exe, 00000000.00000003.694999294.000002D25C755000.00000004.00000001.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.cmdline'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.cmdline'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.cmdline'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.cmdline'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA35A81A97 push esi; retf 0_2_00007FFA35A81A9A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA35A81B65 push eax; retf 0_2_00007FFA35A81B69
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA35A81D55 pushfd ; retf 0_2_00007FFA35A81D6A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA35A80F7D push ebp; retf 0_2_00007FFA35A80F82
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA35A81B85 pushad ; retf 0_2_00007FFA35A81B89
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA35A83F0D push es; iretd 0_2_00007FFA35A83F22
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA35A87F17 push ebx; ret 0_2_00007FFA35A87F1A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.dllJump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.dllJump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.dllJump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.dllJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA35B50FD1 sldt word ptr [eax]0_2_00007FFA35B50FD1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5144Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3685Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.dllJump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.dllJump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.dllJump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.dllJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6992Thread sleep time: -3689348814741908s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: powershell.exe, 00000000.00000002.706470844.000002D25CC20000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: powershell.exe, 00000000.00000002.698312596.000002D24471F000.00000004.00000001.sdmpBinary or memory string: BUILTIN\Hyper-V Administrators
Source: powershell.exe, 00000000.00000003.696098701.000002D25C7E5000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-2125563209-4053062332-1002_Classes\TypeLib\{97d25db0-0363-11cf-abc4-02608c9e7553}\1.0\409n64
Source: powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1Binary or memory string: 'S-1-5-32-578' { 'BUILTIN\Hyper-V Administrators' }
Source: powershell.exe, 00000000.00000002.706470844.000002D25CC20000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: powershell.exe, 00000000.00000002.706470844.000002D25CC20000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: powershell.exe, 00000000.00000002.706470844.000002D25CC20000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.cmdline'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.cmdline'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.cmdline'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.cmdline'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES7143.tmp' 'c:\Users\user\AppData\Local\Temp\tfu5mvir\CSCED38EAF0BA2B44A19E4014561C643C3.TMP'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8066.tmp' 'c:\Users\user\AppData\Local\Temp\22kuy4qb\CSC73C42A17711C4AAFA64E46FCC8D6B36.TMP'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9074.tmp' 'c:\Users\user\AppData\Local\Temp\2hftzesj\CSC11820CB0636E4CAF90F043817D702019.TMP'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESABDB.tmp' 'c:\Users\user\AppData\Local\Temp\hmzbf4ad\CSCE214703DB10E47A0BDD59CF4E3CD48D.TMP'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Opens network shares
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: \\computer*\MAILSLOT\NET\NETLOGONJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: \\computer*\MAILSLOT\NET\NETLOGONJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation1Path InterceptionProcess Injection11Masquerading1OS Credential DumpingNetwork Share Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion51LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerSecurity Software Discovery21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsVirtualization/Sandbox Evasion51SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery22Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 436762 Sample: ADRecon-KPMG.ps1 Startdate: 18/06/2021 Architecture: WINDOWS Score: 56 38 Antivirus detection for dropped file 2->38 40 Sigma detected: Suspicious Csc.exe Source File Folder 2->40 7 powershell.exe 51 2->7         started        process3 file4 28 C:\Users\user\AppData\...\tfu5mvir.cmdline, UTF-8 7->28 dropped 42 Opens network shares 7->42 11 csc.exe 3 7->11         started        14 csc.exe 3 7->14         started        16 csc.exe 3 7->16         started        18 2 other processes 7->18 signatures5 process6 file7 30 C:\Users\user\AppData\Local\...\hmzbf4ad.dll, PE32 11->30 dropped 20 cvtres.exe 1 11->20         started        32 C:\Users\user\AppData\Local\...\2hftzesj.dll, PE32 14->32 dropped 22 cvtres.exe 1 14->22         started        34 C:\Users\user\AppData\Local\...\tfu5mvir.dll, PE32 16->34 dropped 24 cvtres.exe 1 16->24         started        36 C:\Users\user\AppData\Local\...\22kuy4qb.dll, PE32 18->36 dropped 26 cvtres.exe 1 18->26         started        process8

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
ADRecon-KPMG.ps10%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.dll100%AviraHEUR/AGEN.1138338
C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.dll100%AviraHEUR/AGEN.1138338

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://crl.microsoft0%URL Reputationsafe
http://crl.microsoft0%URL Reputationsafe
http://crl.microsoft0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://raw.githubusercontent.com/mmessano/PowerShell/master/dns-dump.ps10%Avira URL Cloudsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
http://www.excelhowto.com/macros/formatting-a-range-of-cells-in-excel-vba/0%Avira URL Cloudsafe
https://acsc.gov.au/infosec/ism/0%Avira URL Cloudsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
http://crl.micr0%URL Reputationsafe
http://crl.micr0%URL Reputationsafe
http://crl.micr0%URL Reputationsafe
http://crl.m-Z0%Avira URL Cloudsafe
https://www.senseofsecurity.com.au0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://nuget.org/NuGet.exepowershell.exe, 00000000.00000003.649772237.000002D254968000.00000004.00000001.sdmpfalse
    		high
    https://github.com/sense-of-security/ADReconpp_Bpowershell.exe, 00000000.00000002.698312596.000002D24471F000.00000004.00000001.sdmpfalse
      		high
      https://github.com/vletoux/SmbScanner/blob/master/smbscanner.ps1powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1false
        		high
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.698312596.000002D24471F000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://crl.microsoftpowershell.exe, 00000000.00000003.696345714.000002D25C5B3000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.698312596.000002D24471F000.00000004.00000001.sdmpfalse
          		high
          https://go.micropowershell.exe, 00000000.00000002.705321526.000002D2460C6000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          https://raw.githubusercontent.com/mmessano/PowerShell/master/dns-dump.ps1ADRecon-KPMG.ps1false
          • Avira URL Cloud: safe
          		unknown
          https://contoso.com/Licensepowershell.exe, 00000000.00000003.649772237.000002D254968000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          https://adsecurity.org/?p=440ADRecon-KPMG.ps1false
            		high
            https://contoso.com/Iconpowershell.exe, 00000000.00000003.649772237.000002D254968000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.excelhowto.com/macros/formatting-a-range-of-cells-in-excel-vba/powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1false
            • Avira URL Cloud: safe
            		unknown
            http://dmcritchie.mvps.org/excel/colors.htmpowershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1false
              		high
              https://github.com/GoateePFE/GPLinkReport/blob/master/gPLinkReport.ps1powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1false
                		high
                https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.698312596.000002D24471F000.00000004.00000001.sdmpfalse
                  		high
                  https://acsc.gov.au/infosec/ism/powershell.exe, 00000000.00000002.698312596.000002D24471F000.00000004.00000001.sdmp, powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1false
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/BloodHoundAD/BloodHound/blob/master/PowerShell/BloodHound.ps1ADRecon-KPMG.ps1false
                    		high
                    https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1ADRecon-KPMG.ps1false
                      		high
                      https://tools.ietf.org/html/rfc4121#section-4.1)powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1false
                        		high
                        https://contoso.com/powershell.exe, 00000000.00000003.649772237.000002D254968000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.705834814.000002D25482A000.00000004.00000001.sdmpfalse
                          		high
                          https://www.ibm.com/support/knowledgecenter/en/ssw_aix_71/com.ibm.aix.security/ad_password_attributepowershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1false
                            		high
                            https://www.cisecurity.org/benchmark/microsoft_windows_server/powershell.exe, 00000000.00000002.698312596.000002D24471F000.00000004.00000001.sdmp, powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1false
                              		high
                              https://github.com/sense-of-security/ADReconADRecon-KPMG.ps1false
                                		high
                                http://crl.micrpowershell.exe, 00000000.00000002.706464108.000002D25CAA8000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.698105161.000002D244511000.00000004.00000001.sdmpfalse
                                  		high
                                  https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dsspowershell.exe, 00000000.00000002.698312596.000002D24471F000.00000004.00000001.sdmp, powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1false
                                    		high
                                    http://crl.m-Zpowershell.exe, 00000000.00000002.706464108.000002D25CAA8000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.senseofsecurity.com.auADRecon-KPMG.ps1false
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://github.com/kfosaaen/Get-LAPSPasswords/blob/master/Get-LAPSPasswords.ps1powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1false
                                      		high

                                      Contacted IPs

                                      No contacted IP infos

                                      General Information

                                      Joe Sandbox Version:32.0.0 Black Diamond
                                      Analysis ID:436762
                                      Start date:18.06.2021
                                      Start time:15:29:57
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 6m 57s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Sample file name:ADRecon-KPMG.ps1
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:29
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal56.spyw.winPS1@18/34@0/0
                                      EGA Information:Failed
                                      HDC Information:Failed
                                      HCA Information:
                                      • Successful, ratio: 100%
                                      • Number of executed functions: 14
                                      • Number of non-executed functions: 4
                                      Cookbook Comments:
                                      • Adjust boot time
                                      • Enable AMSI
                                      • Found application associated with file extension: .ps1
                                      • Stop behavior analysis, all processes terminated
                                      Warnings:
                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                      • Execution Graph export aborted for target powershell.exe, PID 6832 because it is empty
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtSetInformationFile calls found.
                                      • VT rate limit hit for: /opt/package/joesandbox/database/analysis/436762/sample/ADRecon-KPMG.ps1

                                      Simulations

                                      TimeTypeDescription
                                      15:30:45API Interceptor40x Sleep call for process: powershell.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      No context

                                      ASN

                                      No context

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):17949
                                      Entropy (8bit):4.998762997516168
                                      Encrypted:false
                                      SSDEEP:384:Awib4LEVoGIpN6KQkj2jkjh4iUxLzv0ifOdBVNXp5CYoY4Qib4w:AEEV3IpNBQkj22h4iUxLzv0ifOdBVNZw
                                      MD5:BA27C7CD4B91D42164C0D41B8CB77AF5
                                      SHA1:D39DCE142D49FB1B059F966A3D15861691D03D79
                                      SHA-256:5F4B9E6C824ED7397D5B0CE093B4162AEB4D2627779423DE4960AF7F395F1C07
                                      SHA-512:2B9524B0BB94DECC7C464A4DB88241F4FD62F22D9DDB217D0735715D935C0BD7FA60D2B02628025787D8D19E38153EAF887B7AEA24F2516ADE1A0019FE2D75AA
                                      Malicious:false
                                      Reputation:low
                                      Preview: PSMODULECACHE.............S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script..........Y.....C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af
                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):1300
                                      Entropy (8bit):5.343226012152825
                                      Encrypted:false
                                      SSDEEP:24:3vQPpQrLAo4KAxX5qRPD42HOoFe9t4CvKuKnKzOaBPnXF8PQ9fT:oPerB4nqRL/HvFe9t4Cv94vOfV8Y9fT
                                      MD5:A24C10403F187961D1B171A952190A71
                                      SHA1:2D4397D0677F98F4DD7B105F2860970DE13C8774
                                      SHA-256:9ECA12CD874FD2BEC7CAFE7A7D532B10C299D771F859A03D72ACB62448801965
                                      SHA-512:CCC20614D003810224A9CAEA2AA6F66833A868C1480FE7B33902B6E92A276036A636311ED43CA359A8E3E2A9A5FB99DFF3381B5F04BF62C80A8E7CDAE811665F
                                      Malicious:false
                                      Reputation:low
                                      Preview: @...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                      C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.0.cs
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:C++ source, UTF-8 Unicode (with BOM) text
                                      Category:dropped
                                      Size (bytes):234
                                      Entropy (8bit):4.837953277416018
                                      Encrypted:false
                                      SSDEEP:3:V/DsIWMLCI53eqIusd81AWVEGWL48zzbAYvw/4JiiwMQZShrAoVS2GFR8KA59LRu:V/DsYLDS81zuzxpMIQQAos2SRMDk5Yy
                                      MD5:5AB5FA2642C9CCAE71FDEC4667005473
                                      SHA1:84B8886F7C7FDC6D93CC4149D22C9E418A39FFE0
                                      SHA-256:D2F2F4F21B69D20180DF77295EBB281B055C64445080F6FFB5294A99DCE25209
                                      SHA-512:802613B2ED38D24F6B0902479B5A00EB5DC64442206E8A122F8FB812CB720C167DEB47675BA7CA48E043BC352F149AA0A5F0AE508239B3189EBA0D5208E1E25B
                                      Malicious:false
                                      Preview: .using System;.using System.Runtime.InteropServices;..namespace ADRecon.{. public class Kernel32. {. [DllImport("kernel32.dll", SetLastError = true)]. public static extern bool CloseHandle(IntPtr hObject);.. }..}.
                                      C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.cmdline
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                      Category:dropped
                                      Size (bytes):369
                                      Entropy (8bit):5.31832960082016
                                      Encrypted:false
                                      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fDYzxs7+AEszIwkn23fDV:p37Lvkmb6KRf8WZEifZ
                                      MD5:176C076F99A7E4735B66BF8158F4B920
                                      SHA1:8D2468F1B0179F306A00303135ABC1895D39F9E4
                                      SHA-256:39E9CA68598843E2E14F80DF91548203564B65DC722AC2FBDB4CD43D36C5E6B4
                                      SHA-512:F6D4F6A285876D09DD4EC548C77B864B7AEA09DD27D1FAAC708AA8F1CC0E25F1B3502D0168FF44545B345688ACEA6C46A82B79D2D7429F2B548202B40DAFF238
                                      Malicious:false
                                      Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.0.cs"
                                      C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.dll
                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):3072
                                      Entropy (8bit):2.723126896976699
                                      Encrypted:false
                                      SSDEEP:24:etGSm/BepxLd84fLzmkup4PtkZfwlrjOcUxbI+ycuZhNIakS0PNnq:6l24vhuCuJQ3dKb1ulIa3Uq
                                      MD5:A5A124DCA07A1D0A3CC466C2E9111D86
                                      SHA1:BE6A85F0D4616F13402C52B23D19E247D8B6AF69
                                      SHA-256:A1EFF5D01E8107BDEABCBAFDFC31AC4A6B24268C9C1C15EF3C4653273383EC29
                                      SHA-512:98B7070F7C94A4578CCDB6737986CBA54A93FA288FE06BD8A63FE7C15130BF487F521C936AAA168F8DE249EA8F98DD1A62A4AF3DFB7401FA695A78CC5588F08A
                                      Malicious:false
                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`...........!................~#... ...@....... ....................................@.................................$#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l.......#~..l.......#Strings....l.......#US.t.......#GUID.......H...#Blob...........G.........%3............................................................8.1...y.Y.....Y........................... .............. ?.....P ......K.........Q...K.....K...!.K.....K.............&...@...?.......................................(..........<Module>.22kuy4qb.dll.Kernel32.ADRecon.mscorlib.System.Object.CloseHandle..ctor.hObject.System.Runtime.CompilerServ
                                      C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.out
                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                      File Type:ASCII text, with CRLF, CR line terminators
                                      Category:modified
                                      Size (bytes):412
                                      Entropy (8bit):4.871364761010112
                                      Encrypted:false
                                      SSDEEP:12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
                                      MD5:83B3C9D9190CE2C57B83EEE13A9719DF
                                      SHA1:ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
                                      SHA-256:B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
                                      SHA-512:0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
                                      Malicious:false
                                      Preview: Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                                      C:\Users\user\AppData\Local\Temp\22kuy4qb\CSC73C42A17711C4AAFA64E46FCC8D6B36.TMP
                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                      File Type:MSVC .res
                                      Category:dropped
                                      Size (bytes):652
                                      Entropy (8bit):3.121262308944385
                                      Encrypted:false
                                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryWak7Ynqq0PN5Dlq5J:+RI+ycuZhNIakS0PNnqX
                                      MD5:0F8C0392277BDD37F716D58A8B4A7EF6
                                      SHA1:7B4CB4DB53A0E1F91DB6AE3E6F780E01845D0B48
                                      SHA-256:D2ACB274EFA01F58CDD21A1D4C5F4823804EE655CDA9F7136B0BB5E999BDB1B8
                                      SHA-512:0AE97087157E54E24473A3AFB4751C6E60F2EFB3EC69DCEB28B2B21CE0DE06B175EB4F1B3F33C68ED1D4C2398DBA5F41C85390F258190969A6E6DD12214658DC
                                      Malicious:false
                                      Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...2.2.k.u.y.4.q.b...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...2.2.k.u.y.4.q.b...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                      C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.0.cs
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:C++ source, UTF-8 Unicode (with BOM) text
                                      Category:dropped
                                      Size (bytes):13616
                                      Entropy (8bit):5.3056667837640115
                                      Encrypted:false
                                      SSDEEP:384:iHVYrVarE2xnsHcC6qPuNSFEMSM1PuNGlLn:U2rUrrxnycC6qPuNSFEMSM1PuNGlLn
                                      MD5:743B6837C85645CD2325F6295ACF2386
                                      SHA1:EB31A36D045BEA8DCB4813209B9C4100F0A6A546
                                      SHA-256:1E93A153ED55B119F7B5BF756BD9560D010B43C35F10BD6CDC010294555B7E8A
                                      SHA-512:B132383BD091E8EE7E0749E0490626BD68FDCB51A05F81FF5D9DA1022E85632A6FE5AB2EAA5441DDBA99AAFF7D1232A21358BF45F32910F9FDAC591EAA5973F3
                                      Malicious:false
                                      Preview: .using System;.using System.Collections.Generic;.using System.Diagnostics;.using System.IO;.using System.Net;.using System.Net.Sockets;.using System.Text;.using System.Runtime.InteropServices;.using System.Management.Automation;..namespace ADRecon.{. public class PingCastleScannersSMBScanner..{. [StructLayout(LayoutKind.Explicit)]...struct SMB_Header {....[FieldOffset(0)]....public UInt32 Protocol;....[FieldOffset(4)]....public byte Command;....[FieldOffset(5)]....public int Status;....[FieldOffset(9)]....public byte Flags;....[FieldOffset(10)]....public UInt16 Flags2;....[FieldOffset(12)]....public UInt16 PIDHigh;....[FieldOffset(14)]....public UInt64 SecurityFeatures;....[FieldOffset(22)]....public UInt16 Reserved;....[FieldOffset(24)]....public UInt16 TID;....[FieldOffset(26)]....public UInt16 PIDLow;....[FieldOffset(28)]....public UInt16 UID;....[FieldOffset(30)]....public UInt16 MID;...};...// https://msdn.microsoft.com/en-us/library/cc246529.aspx...[StructLayout(Layo
                                      C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.cmdline
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                      Category:dropped
                                      Size (bytes):369
                                      Entropy (8bit):5.256825968064545
                                      Encrypted:false
                                      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23f8EomJ+zxs7+AEszIwkn23f8EoE:p37Lvkmb6KRfUnm0WZEifUnE
                                      MD5:52D2020F824BFFFCF8FA851F9137F242
                                      SHA1:C39D8930902B0F7EB410D97AEF252D474F701F4E
                                      SHA-256:DC4C5D79BAD326DCF661F855AD7EDBA2855F83C1856725DA969F35D0FA3454D9
                                      SHA-512:90EF6A0670DD33C3FFF0CC3F2F46FFC512EE917758A7654A43678E9942BECDB38AA569456A6AD5B2BBD8123C5631A626B86580A113D19901F4F31C3E001B274D
                                      Malicious:false
                                      Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.0.cs"
                                      C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.dll
                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):8704
                                      Entropy (8bit):4.701567451343365
                                      Encrypted:false
                                      SSDEEP:96:4YK11I8aDmU9aTst2fHY+Zh2pIZprrM6OE88mYtdo1uaDgzrkK:4h1q8aDDaT2mX2pIZXOE8R49
                                      MD5:02C3F9DB30B0FE59996CBCD79D854A85
                                      SHA1:1159A8E8727972C021566F7E2E877B610F17ED88
                                      SHA-256:1DD4080F108330F61D45B0FF6A4C55EA8D24EC0ACA8564CC2D93DC604563BBD6
                                      SHA-512:EB4E44B607D610DFD47981A74FF217B231DE557094F412CC513F8758F7D19B2808EDAA3ED9C93E09917A476BE2FDBB1F52E20B87A8AA3656E6B8B7D49D09F729
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`...........!.................9... ...@....... ....................................@..................................8..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................0.................... .SMB}.......}.......}........}...... S...}.......}.......j}.......}...... ....}...... ....}.......}.......}..........(....*...0..N................. .SMB}.......}.......@}.......}.......j}!..... ....}".........(....*...0...........(.............(........(........(.....(.....*...0..1.......(.....o.......i.X.............i.Y........i(.....*....0..(.........i.X..............i...........i(.....*.0..B..................$}'......}(......}).....(....},.......}..........
                                      C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.out
                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                      File Type:ASCII text, with CRLF, CR line terminators
                                      Category:modified
                                      Size (bytes):412
                                      Entropy (8bit):4.871364761010112
                                      Encrypted:false
                                      SSDEEP:12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
                                      MD5:83B3C9D9190CE2C57B83EEE13A9719DF
                                      SHA1:ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
                                      SHA-256:B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
                                      SHA-512:0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
                                      Malicious:false
                                      Preview: Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                                      C:\Users\user\AppData\Local\Temp\2hftzesj\CSC11820CB0636E4CAF90F043817D702019.TMP
                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                      File Type:MSVC .res
                                      Category:dropped
                                      Size (bytes):652
                                      Entropy (8bit):3.1071360149671294
                                      Encrypted:false
                                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryUak7YnqqKPN5Dlq5J:+RI+ycuZhNCakSKPNnqX
                                      MD5:44E986B8AAD9FFD50CD101E9DD5B6728
                                      SHA1:48CC9AC9E56EDAA75D578996E60493D3063D3E53
                                      SHA-256:7C2413A76FA94E6C2090DC732D310D21A1DAFEEB0639D056FD3E63F5FC803A32
                                      SHA-512:80EA411E81C9B849F57ED1E11D5DA08EC7B9DACA89E240EB4034D6B8FDD1877012ECC2EFA746311018EC603EF20947BB395AEC5435DAF7C13C8B7CB81CE6D0F2
                                      Malicious:false
                                      Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...2.h.f.t.z.e.s.j...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...2.h.f.t.z.e.s.j...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                      C:\Users\user\AppData\Local\Temp\RES7143.tmp
                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):2188
                                      Entropy (8bit):2.70357239212724
                                      Encrypted:false
                                      SSDEEP:24:bZfNg9DfHwhKEsmNfI+ycuZhNOakSGPNnq92pkzW9I:bBKByKhm91ulOa36q9P
                                      MD5:BED4D3DD1EECAE4A56069079E3A22F06
                                      SHA1:56E3BB98596991255DE4E800CC808782852310B2
                                      SHA-256:C0415E86A5701C2FDA63CD7E3BC7351063FB8E8023F15084D242041D65808C49
                                      SHA-512:AD74B8C42DCE886AD1FE19C8FCA91B1057D913724A1DC8E0280BA93212A615016ADF76E1D16B7AB48FC8BD3F30F1D6FA7B5EA86E793679DFDE3FA95CA58B8550
                                      Malicious:false
                                      Preview: ........S....c:\Users\user\AppData\Local\Temp\tfu5mvir\CSCED38EAF0BA2B44A19E4014561C643C3.TMP..................Y.l).<,.].\.o..........4.......C:\Users\user\AppData\Local\Temp\RES7143.tmp.-.<...................'...Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                      C:\Users\user\AppData\Local\Temp\RES8066.tmp
                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):2188
                                      Entropy (8bit):2.722320580709945
                                      Encrypted:false
                                      SSDEEP:24:bZfkJ/E11DfHdZFhKEsmNfI+ycuZhNIakS0PNnq92pYzW9I:bBA/e9ZzKhm91ulIa3Uq9D
                                      MD5:1BFBF76506BF3D4D68E534F9C4E351FE
                                      SHA1:5F3EED484CBE7B861F8C2F0AC70D2D1DB31F9730
                                      SHA-256:8674880573B963387D4DAE64C1CFE8069FDC42E547D2933D93E94C3F508E0F2E
                                      SHA-512:AD32F48F2C2AECE9A846AC9601C47352D30CEFE0AB4384EB13B9A75852BC2B3ACA6C9259F68E9E9127058C2A679D0EE40372B9251B946876C62F6758C1532B55
                                      Malicious:false
                                      Preview: ........S....c:\Users\user\AppData\Local\Temp\22kuy4qb\CSC73C42A17711C4AAFA64E46FCC8D6B36.TMP....................'{.7....J~...........4.......C:\Users\user\AppData\Local\Temp\RES8066.tmp.-.<...................'...Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                      C:\Users\user\AppData\Local\Temp\RES9074.tmp
                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):2188
                                      Entropy (8bit):2.707574666950414
                                      Encrypted:false
                                      SSDEEP:24:p+fUr8DfHfhKEsmNfI+ycuZhNCakSKPNnq92pjYzW9I:cWqZKhm91ulCa3mq96O
                                      MD5:7C57D7F34F9D380B672830DC1B7E9A88
                                      SHA1:7ABC4256F883842A5BC8561E6C22348ADAFA15EF
                                      SHA-256:1CB4785FFC74F265B1084B08F825D2B6D1D4296208808469A44B355FD8F466FF
                                      SHA-512:4BE5CE1CC32FAD8D82760562E74916EFF0765AA3C919F2016CE1BC458F67883A2DB05695ED973B6FBF2D4FE16D34FEFB0124DC3A765F6BB73A5DEBD392B97FD6
                                      Malicious:false
                                      Preview: ........T....c:\Users\user\AppData\Local\Temp\2hftzesj\CSC11820CB0636E4CAF90F043817D702019.TMP...............D..........[g(..........4.......C:\Users\user\AppData\Local\Temp\RES9074.tmp.-.<...................'...Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                      C:\Users\user\AppData\Local\Temp\RESABDB.tmp
                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):2188
                                      Entropy (8bit):2.7083990416814956
                                      Encrypted:false
                                      SSDEEP:24:bZfiv8DfHIhKEsmNfI+ycuZhNeHakSZQPNnq92pdzW9I:bBrqKhm91uleHa3ZIq96
                                      MD5:E16E4DD16D0700CAC7A48D2A4C2AC839
                                      SHA1:46B197721AC618249EBA620C3647E855E74FC9E4
                                      SHA-256:EF5A342E3FFE2058FB0733765430BF78D8DA073B9FCD391AAEBAF4F9D0D8F194
                                      SHA-512:54E714FCF227EC7073E193041D71F81110684387401229934BABB73904FA1327965807CB0B13489E92499749B734876B221A958249D1DDE0CF757AF8CA7889AD
                                      Malicious:false
                                      Preview: ........S....c:\Users\user\AppData\Local\Temp\hmzbf4ad\CSCE214703DB10E47A0BDD59CF4E3CD48D.TMP..................wA....i`....y...........4.......C:\Users\user\AppData\Local\Temp\RESABDB.tmp.-.<...................'...Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_divvbyll.vrx.psm1
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:very short file (no magic)
                                      Category:dropped
                                      Size (bytes):1
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3:U:U
                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                      Malicious:false
                                      Preview: 1
                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rorwv0kw.kes.ps1
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:very short file (no magic)
                                      Category:dropped
                                      Size (bytes):1
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3:U:U
                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                      Malicious:false
                                      Preview: 1
                                      C:\Users\user\AppData\Local\Temp\hmzbf4ad\CSCE214703DB10E47A0BDD59CF4E3CD48D.TMP
                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                      File Type:MSVC .res
                                      Category:dropped
                                      Size (bytes):652
                                      Entropy (8bit):3.1014328811937397
                                      Encrypted:false
                                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryONHak7YnqqjNQPN5Dlq5J:+RI+ycuZhNeHakSZQPNnqX
                                      MD5:FF7F774186CD06E469601E8CD30D79F5
                                      SHA1:C202AB5CF8CD4A2C910A11679599F8070971F499
                                      SHA-256:848EE362B93C735AD8309AD654A5CFF326DFD43C05ED9A9B0067D73E6419F50C
                                      SHA-512:8FB2FC7C2E864F44A17A53193CE40F2120105F01455613B353C16E711256587A8AC85B75EC4FE69E3938C37CCE71A04197FFFFB796E73ED3E8142CB9D90AB5D6
                                      Malicious:false
                                      Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...h.m.z.b.f.4.a.d...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...h.m.z.b.f.4.a.d...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                      C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.0.cs
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:C++ source, UTF-8 Unicode (with BOM) text, with very long lines
                                      Category:dropped
                                      Size (bytes):82692
                                      Entropy (8bit):4.386560180163499
                                      Encrypted:false
                                      SSDEEP:768:5KUrYWYxYDFQLsTExaJJ7tsThgDU2AXMIVaIIVLT:5KOYWYxYDW9apslgg2AHa7LT
                                      MD5:1FC273B23EB699DE4CD1B2B488F3FE07
                                      SHA1:311D784EDFA828EE04A2B57AC308704960097156
                                      SHA-256:5576585B2F3493D027C946DEA0B45172C09B3ABD46675CBD56F4CD0C10ED71B0
                                      SHA-512:A54C18F404E83DDD5FEC5861682B109AD8E34A97833FCAC427A76C7FE42D32AB24197F6A7B00697E5ECB3FF554D9EE7D3D6A2140F2BA157E8216CFB3B5D3E74A
                                      Malicious:false
                                      Preview: .// Thanks Dennis Albuquerque for the C# multithreading code.using System;.using System.Collections;.using System.Collections.Generic;.using System.Linq;.using System.Net;.using System.Threading;.using System.DirectoryServices;.using System.Security.Principal;.using System.Security.AccessControl;.using System.Management.Automation;..namespace ADRecon.{. public static class LDAPClass. {. private static DateTime Date1;. private static int PassMaxAge;. private static int DormantTimeSpan;. private static Dictionary<String, String> AdGroupDictionary = new Dictionary<String, String>();. private static String DomainSID;. private static Dictionary<String, String> AdGPODictionary = new Dictionary<String, String>();. private static Hashtable GUIDs = new Hashtable();. private static Dictionary<String, String> AdSIDDictionary = new Dictionary<String, String>();. private static readonly HashSet<string> Groups = new HashSet<strin
                                      C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.cmdline
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                      Category:dropped
                                      Size (bytes):502
                                      Entropy (8bit):5.293414896955437
                                      Encrypted:false
                                      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6KOkuqZbA3S7bAswkn23f37Uzxs7+AEszIwkn29:p37Lvkmb6KOkB8e8Pf/4WZEif/1
                                      MD5:2FEDE92D7F1B1F699784E0ECF371E154
                                      SHA1:90153D6E8B00C6CA60F08A4235EB209F2C4C939B
                                      SHA-256:84BCBFD6A2BE0BCE427090FE9376CA364998F59A65D859C89807AF306ADA5099
                                      SHA-512:72409186636F42861377D13097597263FC9656E14CDE2B342BD134F35DFC4074D3FBCE8C49F54F9DF66ED0925993DBD8A45706CA2B8722D1D1942E0F1CA4A9AB
                                      Malicious:false
                                      Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll" /out:"C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.0.cs"
                                      C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.dll
                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):37888
                                      Entropy (8bit):5.108047151608629
                                      Encrypted:false
                                      SSDEEP:768:gdCrM0agt1pL1ZAGwZ+ATQpUvX1vNTd/pVf5/t3tK68RPDhB0yq8QoP:gdCrM0agDQ+qSDhCyaa
                                      MD5:0DB8B192DB985041BF78C7041B5103FC
                                      SHA1:A146F812CABBD8667B9826BFA4324708731BBDD3
                                      SHA-256:4EEC9CB7480D08799686A0F117458D33124F9951F551469A4E0720F86F6248CE
                                      SHA-512:C8082701A9F85280DB9CC6006990D3FBAF5059C4CE98A757181DB061563B50025D68949548251D7C7898ABA0DF5306FD9C061260E63441FB18F02B26BA4EBEDB
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`...........!................N.... ........... ....................................@.....................................K.................................................................................... ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.................0..`.......r...p.(......o....(.....~....o....o.....+...(.......~.....o....o.......(....-...........o......*......(.(P.........i*....0..B..............+.....t......o....r...po....o.....3..........X......i2..*.*...0.."............................r=..p(......*...0............rI..p(......*..0............r[..p(......*..0..,.......s...........ri..p(....&........r...p(......*.0............r...p(......*..0............r...p(......*..0..&.......s...........r...p(....&..r...p(......*...0......
                                      C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.out
                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                      File Type:ASCII text, with CRLF, CR line terminators
                                      Category:modified
                                      Size (bytes):412
                                      Entropy (8bit):4.871364761010112
                                      Encrypted:false
                                      SSDEEP:12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
                                      MD5:83B3C9D9190CE2C57B83EEE13A9719DF
                                      SHA1:ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
                                      SHA-256:B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
                                      SHA-512:0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
                                      Malicious:false
                                      Preview: Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                                      C:\Users\user\AppData\Local\Temp\tfu5mvir\CSCED38EAF0BA2B44A19E4014561C643C3.TMP
                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                      File Type:MSVC .res
                                      Category:dropped
                                      Size (bytes):652
                                      Entropy (8bit):3.097603255426555
                                      Encrypted:false
                                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grygioak7Ynqqpi9PN5Dlq5J:+RI+ycuZhNOakSGPNnqX
                                      MD5:F5B459ECA66C29113C2CDB5DC65CCA6F
                                      SHA1:94A8C9D1BF6B630885DA715D705E183FE5790D99
                                      SHA-256:1DE6EF62B3720C1DA82C8F213B7CC6A0BCB2D875FBE6AA8B4F115EFDA222A8D4
                                      SHA-512:212500CDA11970FC22A79AF91157566D77E1F82B2B077ED2C39F756FA187E4B7A9154EE4989D6A9A3510A70E3FC4D66626CB27366F7432023237EFB2C9942C79
                                      Malicious:false
                                      Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...t.f.u.5.m.v.i.r...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...t.f.u.5.m.v.i.r...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                      C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.0.cs
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:C++ source, UTF-8 Unicode (with BOM) text
                                      Category:dropped
                                      Size (bytes):559
                                      Entropy (8bit):4.921580670118331
                                      Encrypted:false
                                      SSDEEP:12:V/DTLDfuzog9NAD1YbpJj6e2OthNADSINADtiOy:JjmzogKI3l2HSzIOy
                                      MD5:5CB55CC81CBFE307FEA693A618521A0B
                                      SHA1:B2FA5B07B649AB7C0028A7FBCB5EF3141342BA7A
                                      SHA-256:39F7CA91E94D19767C7DB10E0CBA0788B2349676DE29FA2B766B860334A93A3F
                                      SHA-512:2122D115E19584679B86C1669184CCACDB265CAEFBA4B306030473976A84325D2A31D09257D5F0504CABAC9EAC70A3749D87DEE1B18B543526C6522D05224B4F
                                      Malicious:false
                                      Preview: .using System;.using System.Runtime.InteropServices;..namespace ADRecon.{. public class Advapi32. {. [DllImport("advapi32.dll", SetLastError = true)]. public static extern bool LogonUser(string lpszUsername, string lpszDomain, string lpszPassword, int dwLogonType, int dwLogonProvider, out IntPtr phToken);.. [DllImport("advapi32.dll", SetLastError = true)]. public static extern bool ImpersonateLoggedOnUser(IntPtr hToken);.. [DllImport("advapi32.dll", SetLastError = true)]. public static extern bool RevertToSelf();.. }..}.
                                      C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.cmdline
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                      Category:dropped
                                      Size (bytes):369
                                      Entropy (8bit):5.2161732279303195
                                      Encrypted:false
                                      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23ftBUzxs7+AEszIwkn23ftbn:p37Lvkmb6KRfYWZEifV
                                      MD5:9FD0ABE39ED93E903448D882648F9C11
                                      SHA1:B46C59D7A63A5168AE5FCD8A26EF5D077F35F5B9
                                      SHA-256:5C73ADABE15A4E58A4A6AE49F5C562A7732AEE52DD1A98C54F99B5DE77977AA9
                                      SHA-512:F7533693F5736495298101EC042796EEF16FD691AADDAEE892B05D9C788AAFF3A5648792324D30796A3C876892531B3D73DFD12CB38AB4308725C73539F5DF6F
                                      Malicious:true
                                      Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.0.cs"
                                      C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.dll
                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):3584
                                      Entropy (8bit):2.7564915970140667
                                      Encrypted:false
                                      SSDEEP:24:etGS6MhW2oe/yEC3Q5/YWp0Wd4LC62kM4tkZf0Rjtxw7I+ycuZhNOakSGPNnq:6zR7CAyWJkMvJ0RjXy1ulOa36q
                                      MD5:A665FB3D3C183FE441445EFC58D0E9CF
                                      SHA1:6B25ABC60A0C37A493219FADC148E0A0F7B00240
                                      SHA-256:AF9722A13043902F337FCACF8D9387A654D22BF4AFB3EBF7A4A649B8A03EA9E0
                                      SHA-512:81F63BBF98B7C0DC89A90BD3AAD2B67A470AD9123A1E384797F620E06EB6797819B46848530D496FE6AB9006403B19CEAAC6CEFDA21160DAD7039EF53C071E3E
                                      Malicious:false
                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`...........!................^$... ...@....... ....................................@..................................$..W....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...\...#~......x...#Strings....@.......#US.H.......#GUID...X...T...#Blob...........G.........%3............................................................8.1...............0.....W....................... .............. ?............ I............ a.....P ......n.........t.......................................n.....n.".!.n...).n.'...n.......,.....5.j.@...?...@...I...@...a.....................N.................(..........<Module>.tfu5mvir.dll.A
                                      C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.out
                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                      File Type:ASCII text, with CRLF, CR line terminators
                                      Category:modified
                                      Size (bytes):412
                                      Entropy (8bit):4.871364761010112
                                      Encrypted:false
                                      SSDEEP:12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
                                      MD5:83B3C9D9190CE2C57B83EEE13A9719DF
                                      SHA1:ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
                                      SHA-256:B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
                                      SHA-512:0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
                                      Malicious:false
                                      Preview: Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\37EHO8F82PQCUKVGOBYU.temp
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):6205
                                      Entropy (8bit):3.761457724376558
                                      Encrypted:false
                                      SSDEEP:96:kPEG9mBX60CO+S/qdkvhkvCCtrXn3H8Xn3HV:UEG9mBcPJr8V
                                      MD5:DC270A2232DEA69AB1E3ADB526E7089E
                                      SHA1:37A5D67AC587B4DC2A36CE0F1F1FFD06C6C411CA
                                      SHA-256:5AE0312FE75CAC2C1E2F579A867DE10DC8AA597CD4627280A562079A7BDC08A5
                                      SHA-512:BC3220936AD072874C7CF7258BB17CC2940E30811C8093C38F540448BFBFCC5F98AA683CF4BACC7BC0A68976EB52D8BCBBC733FDAE2AE5DC0257D47CD8AB2B3D
                                      Malicious:false
                                      Preview: ...................................FL..................F.".. ....J...-...rt^.`..\.................................:..DG..Yr?.D..U..k0.&...&...........-..a..S....d.."Fd......t...CFSF..1......N....AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......N...R.k.....Y....................yN|.A.p.p.D.a.t.a...B.V.1......N....Roaming.@.......N...R.k.....Y.....................K..R.o.a.m.i.n.g.....\.1.....>Q.;..MICROS~1..D.......N...R.k.....Y.....................sJ.M.i.c.r.o.s.o.f.t.....V.1.....>Q{<..Windows.@.......N...R.k.....Y......................Q.W.i.n.d.o.w.s.......1......N....STARTM~1..n.......N..>Q.;.....Y..............D.....6...S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......P.S..Programs..j.......N..>Q.;.....Y..............@........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......L...WINDOW~1..V.......N..>QZ7.....Y....................T_..W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......L.. .WINDOW~1.LNK..^.......N...P3Q.....Y..........
                                      C:\Users\user\Documents\20210618\PowerShell_transcript.134349.jqYok04J.20210618153043.txt
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1537
                                      Entropy (8bit):5.233932318873786
                                      Encrypted:false
                                      SSDEEP:48:BZ7vj0oORT89dqDYB1Z8Z+xanvqUuiVPZZC:BZbj0Ni3qDo1Z8DvqUuiVPZg
                                      MD5:85CAC918CD3BC0344A3B58C84CE27446
                                      SHA1:BC88191383B44DE2E24819B1DDCC11959E0172FF
                                      SHA-256:B7503521978F97E4D5766114F7C35D85C74559CEFD710F9A746270DB04C2BEB1
                                      SHA-512:F4D38175F32B95070C3158215922780DB10B6FCE40C733F9EA707B3C3042D3B0F26D1E19C1D217B34C8E9E578F5BA263444CD37424198518E03D1085027B075E
                                      Malicious:false
                                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20210618153044..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 134349 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noLogo -ExecutionPolicy unrestricted -file C:\Users\user\Desktop\ADRecon-KPMG.ps1..Process ID: 6832..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210618153301..**********************..PS>TerminatingError(Import-Module): "The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: The specified module 'ActiveDirectory' was not loaded because no valid mo

                                      Static File Info

                                      General

                                      File type:UTF-8 Unicode (with BOM) text, with very long lines
                                      Entropy (8bit):5.256591239440088
                                      TrID:
                                      • Text - UTF-8 encoded (3003/1) 100.00%
                                      File name:ADRecon-KPMG.ps1
                                      File size:626599
                                      MD5:6008e6c3deaa08fb420d5efd469590c6
                                      SHA1:1c55b3e2c62932213a57ffb8a223fb2a52b4d170
                                      SHA256:ac00dd7d54764e0389de434f3203c2a3384d2ffcc20615f40f09c4c0646c8d3f
                                      SHA512:774d837ffbc8f883e1b5a8b03a1da2cff24e585356bd93f5a48e64bd47bba02bebfa1fe23d0b21db973a33c7bb83a72ed82a178824bba766e2c2a22e03aa37fd
                                      SSDEEP:12288:pRbDbhJGYDb/XwXMX9ycFb7b4JHzARyvQ1svRO9y9f:pRbDbhJGYDb/XwXMX9ycFb7b4JTsyvQm
                                      File Content Preview:...<#...SYNOPSIS.. ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment....DESCRIPTION.. ADRecon is a tool which extracts

                                      File Icon

                                      Icon Hash:72f2d6fef6f6dae4

                                      Network Behavior

                                      No network behavior found

                                      Code Manipulations

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      • File
                                      • Registry

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      Analysis Process: powershell.exe PID: 6832 Parent PID: 5848

                                      Function LogsAmsi Logs

                                      General

                                      Start time:15:30:41
                                      Start date:18/06/2021
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -noLogo -ExecutionPolicy unrestricted -file 'C:\Users\user\Desktop\ADRecon-KPMG.ps1'
                                      Imagebase:0x7ff7bedd0000
                                      File size:447488 bytes
                                      MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Reputation:high
                                      Show Windows behavior

                                      File Activities

                                      Show Windows behavior

                                      Section Activities

                                      Show Windows behavior

                                      Registry Activities

                                      Show Windows behavior

                                      COM Activities

                                      Show Windows behavior

                                      Powershell Activities

                                      Show Windows behavior

                                      Mutex Activities

                                      Show Windows behavior

                                      Process Activities

                                      Show Windows behavior

                                      Thread Activities

                                      Show Windows behavior

                                      Memory Activities

                                      Show Windows behavior

                                      System Activities

                                      Show Windows behavior

                                      Timing Activities

                                      Show Windows behavior

                                      Windows UI Activities

                                      Show Windows behavior

                                      Process Token Activities

                                      Show Windows behavior

                                      Object Security Activities

                                      Show Windows behavior

                                      LPC Port Activities

                                      Analysis Process: conhost.exe PID: 6848 Parent PID: 6832

                                      Function Logs

                                      General

                                      Start time:15:30:42
                                      Start date:18/06/2021
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff724c50000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Show Windows behavior

                                      File Activities

                                      Show Windows behavior

                                      Section Activities

                                      Show Windows behavior

                                      Registry Activities

                                      Show Windows behavior

                                      Mutex Activities

                                      Show Windows behavior

                                      Process Activities

                                      Show Windows behavior

                                      Thread Activities

                                      Show Windows behavior

                                      Memory Activities

                                      Show Windows behavior

                                      System Activities

                                      Show Windows behavior

                                      Timing Activities

                                      Show Windows behavior

                                      Windows UI Activities

                                      Show Windows behavior

                                      LPC Port Activities

                                      Analysis Process: csc.exe PID: 7120 Parent PID: 6832

                                      Function Logs

                                      General

                                      Start time:15:30:47
                                      Start date:18/06/2021
                                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                      Wow64 process (32bit):false
                                      Commandline:'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.cmdline'
                                      Imagebase:0x7ff743170000
                                      File size:2739304 bytes
                                      MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Reputation:moderate
                                      Show Windows behavior

                                      File Activities

                                      Show Windows behavior

                                      Section Activities

                                      Show Windows behavior

                                      Registry Activities

                                      Show Windows behavior

                                      Mutex Activities

                                      Show Windows behavior

                                      Process Activities

                                      Show Windows behavior

                                      Thread Activities

                                      Show Windows behavior

                                      Memory Activities

                                      Show Windows behavior

                                      System Activities

                                      Show Windows behavior

                                      LPC Port Activities

                                      Analysis Process: cvtres.exe PID: 4116 Parent PID: 7120

                                      Function Logs

                                      General

                                      Start time:15:30:48
                                      Start date:18/06/2021
                                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES7143.tmp' 'c:\Users\user\AppData\Local\Temp\tfu5mvir\CSCED38EAF0BA2B44A19E4014561C643C3.TMP'
                                      Imagebase:0x7ff6154c0000
                                      File size:47280 bytes
                                      MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Show Windows behavior

                                      File Activities

                                      Show Windows behavior

                                      Section Activities

                                      Show Windows behavior

                                      Registry Activities

                                      Show Windows behavior

                                      Process Activities

                                      Show Windows behavior

                                      Memory Activities

                                      Show Windows behavior

                                      System Activities

                                      Show Windows behavior

                                      LPC Port Activities

                                      Analysis Process: csc.exe PID: 2928 Parent PID: 6832

                                      Function Logs

                                      General

                                      Start time:15:30:51
                                      Start date:18/06/2021
                                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                      Wow64 process (32bit):false
                                      Commandline:'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.cmdline'
                                      Imagebase:0x7ff743170000
                                      File size:2739304 bytes
                                      MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Reputation:moderate
                                      Show Windows behavior

                                      File Activities

                                      Show Windows behavior

                                      Section Activities

                                      Show Windows behavior

                                      Registry Activities

                                      Show Windows behavior

                                      Mutex Activities

                                      Show Windows behavior

                                      Process Activities

                                      Show Windows behavior

                                      Thread Activities

                                      Show Windows behavior

                                      Memory Activities

                                      Show Windows behavior

                                      System Activities

                                      Show Windows behavior

                                      LPC Port Activities

                                      Analysis Process: cvtres.exe PID: 6228 Parent PID: 2928

                                      Function Logs

                                      General

                                      Start time:15:30:52
                                      Start date:18/06/2021
                                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8066.tmp' 'c:\Users\user\AppData\Local\Temp\22kuy4qb\CSC73C42A17711C4AAFA64E46FCC8D6B36.TMP'
                                      Imagebase:0x7ff6154c0000
                                      File size:47280 bytes
                                      MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Show Windows behavior

                                      File Activities

                                      Show Windows behavior

                                      Section Activities

                                      Show Windows behavior

                                      Registry Activities

                                      Show Windows behavior

                                      Process Activities

                                      Show Windows behavior

                                      Memory Activities

                                      Show Windows behavior

                                      System Activities

                                      Show Windows behavior

                                      LPC Port Activities

                                      Analysis Process: csc.exe PID: 6492 Parent PID: 6832

                                      Function Logs

                                      General

                                      Start time:15:30:55
                                      Start date:18/06/2021
                                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                      Wow64 process (32bit):false
                                      Commandline:'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.cmdline'
                                      Imagebase:0x7ff743170000
                                      File size:2739304 bytes
                                      MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Reputation:moderate
                                      Show Windows behavior

                                      File Activities

                                      Show Windows behavior

                                      Section Activities

                                      Show Windows behavior

                                      Registry Activities

                                      Show Windows behavior

                                      Mutex Activities

                                      Show Windows behavior

                                      Process Activities

                                      Show Windows behavior

                                      Thread Activities

                                      Show Windows behavior

                                      Memory Activities

                                      Show Windows behavior

                                      System Activities

                                      Show Windows behavior

                                      LPC Port Activities

                                      Analysis Process: cvtres.exe PID: 6452 Parent PID: 6492

                                      Function Logs

                                      General

                                      Start time:15:30:56
                                      Start date:18/06/2021
                                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9074.tmp' 'c:\Users\user\AppData\Local\Temp\2hftzesj\CSC11820CB0636E4CAF90F043817D702019.TMP'
                                      Imagebase:0x7ff6154c0000
                                      File size:47280 bytes
                                      MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Show Windows behavior

                                      File Activities

                                      Show Windows behavior

                                      Section Activities

                                      Show Windows behavior

                                      Registry Activities

                                      Show Windows behavior

                                      Process Activities

                                      Show Windows behavior

                                      Memory Activities

                                      Show Windows behavior

                                      System Activities

                                      Show Windows behavior

                                      LPC Port Activities

                                      Analysis Process: csc.exe PID: 5716 Parent PID: 6832

                                      Function Logs

                                      General

                                      Start time:15:31:02
                                      Start date:18/06/2021
                                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                      Wow64 process (32bit):false
                                      Commandline:'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.cmdline'
                                      Imagebase:0x7ff743170000
                                      File size:2739304 bytes
                                      MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Reputation:moderate
                                      Show Windows behavior

                                      File Activities

                                      Show Windows behavior

                                      Section Activities

                                      Show Windows behavior

                                      Registry Activities

                                      Show Windows behavior

                                      Mutex Activities

                                      Show Windows behavior

                                      Process Activities

                                      Show Windows behavior

                                      Thread Activities

                                      Show Windows behavior

                                      Memory Activities

                                      Show Windows behavior

                                      System Activities

                                      Show Windows behavior

                                      LPC Port Activities

                                      Analysis Process: cvtres.exe PID: 5688 Parent PID: 5716

                                      Function Logs

                                      General

                                      Start time:15:31:03
                                      Start date:18/06/2021
                                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESABDB.tmp' 'c:\Users\user\AppData\Local\Temp\hmzbf4ad\CSCE214703DB10E47A0BDD59CF4E3CD48D.TMP'
                                      Imagebase:0x7ff6154c0000
                                      File size:47280 bytes
                                      MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Show Windows behavior

                                      File Activities

                                      Show Windows behavior

                                      Section Activities

                                      Show Windows behavior

                                      Registry Activities

                                      Show Windows behavior

                                      Process Activities

                                      Show Windows behavior

                                      Memory Activities

                                      Show Windows behavior

                                      System Activities

                                      Show Windows behavior

                                      LPC Port Activities

                                      Disassembly

                                      Code Analysis

                                      Analysis Process: powershell.exe PID: 6832 Parent PID: 5848 powershell.exeCOMMON

                                      Executed Functions

                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.707817531.00007FFA35A80000.00000040.00000001.sdmp, Offset: 00007FFA35A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffa35a80000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 8s5$9b_H
                                      • API String ID: 0-2886319865
                                      • Opcode ID: e9ea03149ae13db049e71ec3e02b7f97bd45c8cf1b668b6343a9f64502e5b654
                                      • Instruction ID: 59c05e3650c805e7cf5d706ccbb29d9c4103bbd353f8f66a88a605c11ff374bd
                                      • Opcode Fuzzy Hash: e9ea03149ae13db049e71ec3e02b7f97bd45c8cf1b668b6343a9f64502e5b654
                                      • Instruction Fuzzy Hash: 26D1D430E18A4A8FDB98DF1CC489AA97BE1FF69311F148179D44DD7256DE36E842CB80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.707817531.00007FFA35A80000.00000040.00000001.sdmp, Offset: 00007FFA35A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffa35a80000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5def5bb9124fe7f5e74b378696011ff99c314a9aa840f4691701be5e8023cefb
                                      • Instruction ID: 64de4a201f492267c67c8654c25757465491025e82f5c7c7e090e0d012a562f3
                                      • Opcode Fuzzy Hash: 5def5bb9124fe7f5e74b378696011ff99c314a9aa840f4691701be5e8023cefb
                                      • Instruction Fuzzy Hash: C8222862E1CB868FEB58DB1C98096A87FE1FF96714F5481B6D00CC728ADD25AC4697C0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.707817531.00007FFA35A80000.00000040.00000001.sdmp, Offset: 00007FFA35A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffa35a80000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2386895bf26d64169ffbd304d560c5f118da217da3c6c3222e85790e7d2d3aae
                                      • Instruction ID: e5980422e4b4fcc101e28dee598e8ecd8d82c0aa9b98c7911909ffb8798d13bd
                                      • Opcode Fuzzy Hash: 2386895bf26d64169ffbd304d560c5f118da217da3c6c3222e85790e7d2d3aae
                                      • Instruction Fuzzy Hash: 6C51083191CA8A4FD318DB1CD859AA6BBF1FFC6310F0486BBE04DC7192CE29A945D781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.707817531.00007FFA35A80000.00000040.00000001.sdmp, Offset: 00007FFA35A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffa35a80000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3f7e5d640398adda19f7020c3d8c15d0054bab79bcde4febadb90630bac8cfc3
                                      • Instruction ID: 833918a8b17bc471b98275d6707a9b95032d49c6f12356337903a2d136a76cc6
                                      • Opcode Fuzzy Hash: 3f7e5d640398adda19f7020c3d8c15d0054bab79bcde4febadb90630bac8cfc3
                                      • Instruction Fuzzy Hash: 9E31C83091CB4C4FDB1C9B5C9C0A6A9BBE0EB99721F04826FE449D3252DB75A8558BC2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.707817531.00007FFA35A80000.00000040.00000001.sdmp, Offset: 00007FFA35A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffa35a80000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8e3747894b4f72c1a6c9c99c612966f291c09a74f98758a2cc4d7b5cf1ba3426
                                      • Instruction ID: 30e7e0a28d8581a995ab032de3f16d675b8759aa2366ec508278137a19a1fdc1
                                      • Opcode Fuzzy Hash: 8e3747894b4f72c1a6c9c99c612966f291c09a74f98758a2cc4d7b5cf1ba3426
                                      • Instruction Fuzzy Hash: 5A21063090CA4C4FEB59DFAC884A7E97BE0EBA6331F04826BD04DC7152DA75A406CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.707817531.00007FFA35A80000.00000040.00000001.sdmp, Offset: 00007FFA35A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffa35a80000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5ff24e6f2d286b56939eddbb22c5021be72d8a42e42b64b5aa8cc53164aaee34
                                      • Instruction ID: a95a7d2bf389f0c1bcbd565c40faf055e9ad4aed317cab7f4296be58902579eb
                                      • Opcode Fuzzy Hash: 5ff24e6f2d286b56939eddbb22c5021be72d8a42e42b64b5aa8cc53164aaee34
                                      • Instruction Fuzzy Hash: 63F0A932B2CB068FDB5C9A0CE84257573D1EB95325F10407EE18EC7297ED2BE8429641
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.707817531.00007FFA35A80000.00000040.00000001.sdmp, Offset: 00007FFA35A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffa35a80000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 41a3e58392e0c92bdc11ff23c788dfa358aa500590e4c1a104f6ac3825cb99bb
                                      • Instruction ID: ea624cab7fa94e02e09879826f52c4c1649e2b8e208e845b00998dcbacd20952
                                      • Opcode Fuzzy Hash: 41a3e58392e0c92bdc11ff23c788dfa358aa500590e4c1a104f6ac3825cb99bb
                                      • Instruction Fuzzy Hash: D601447115CB084FD758EF0CE451AA6B7E0FB95324F10056EE58AC3695DA26E882CB45
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.707817531.00007FFA35A80000.00000040.00000001.sdmp, Offset: 00007FFA35A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffa35a80000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c12d57b417f64f7d3bcc303dd3aaf09bcf9cb12402b40eb8e3e5b53b1009e571
                                      • Instruction ID: efda99324029fc6e8966263573dec310b06d1ef0c274c2d4a45c1ef6c052d0c8
                                      • Opcode Fuzzy Hash: c12d57b417f64f7d3bcc303dd3aaf09bcf9cb12402b40eb8e3e5b53b1009e571
                                      • Instruction Fuzzy Hash: 13F08C3235CA080BE70C6A1CB8524F973C1CBD5760B10817FE40AC6297DC16A88342C6
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.708360365.00007FFA35B50000.00000040.00000001.sdmp, Offset: 00007FFA35B50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffa35b50000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cb1f072713d62d3dee3ef87566d2766e2c7af11895490dda05053712e75ebcc5
                                      • Instruction ID: 301de1f67d8cd4e767386ed465bea2ccb910f53932bd1c81d346c08653427431
                                      • Opcode Fuzzy Hash: cb1f072713d62d3dee3ef87566d2766e2c7af11895490dda05053712e75ebcc5
                                      • Instruction Fuzzy Hash: 44F0B42170DB4A4FEB88CE1CE891660B792FBB972031406AEC44DCB29BC926DC41C7C1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.707817531.00007FFA35A80000.00000040.00000001.sdmp, Offset: 00007FFA35A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffa35a80000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8be96d76bb91dd8d248875e8f24bee88ddcd6808e4bffc98ac694a2c0b180b43
                                      • Instruction ID: 14e8a891876c6d448a671790e864f53c375fa0d689d1cc05a3b659bd4cae3738
                                      • Opcode Fuzzy Hash: 8be96d76bb91dd8d248875e8f24bee88ddcd6808e4bffc98ac694a2c0b180b43
                                      • Instruction Fuzzy Hash: 55F0243084C68D8FDB0A9F2888195E57FA0FF27310B080297E45CC70A2DB659858CBD2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.707817531.00007FFA35A80000.00000040.00000001.sdmp, Offset: 00007FFA35A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffa35a80000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 35dc378f4e3e2d4189dd2a26044574b273109e8f6cbde0a3c32985092bb7be6b
                                      • Instruction ID: bc38856ad9d0ed8f651d41d5204e1a757ec796ceb4feb39fa5c6179bcfed51bd
                                      • Opcode Fuzzy Hash: 35dc378f4e3e2d4189dd2a26044574b273109e8f6cbde0a3c32985092bb7be6b
                                      • Instruction Fuzzy Hash: C3F0303275C6044FDB5CAA1CF8429B573D1E799324B00016EE48BC2696D927E8438685
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.708360365.00007FFA35B50000.00000040.00000001.sdmp, Offset: 00007FFA35B50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffa35b50000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 522280d08b5a7c77786004c6431f2cdcf5f8a57ea1d9a41176003751867f54ca
                                      • Instruction ID: e1a0016c480a727b1eac49e5c7c41fc780756e63dd17488f19fce3fbcd631e25
                                      • Opcode Fuzzy Hash: 522280d08b5a7c77786004c6431f2cdcf5f8a57ea1d9a41176003751867f54ca
                                      • Instruction Fuzzy Hash: 19F0B432A0DB8A8FE756E768A8510E8BFF0EF57360B1850F7D18DC7193D91A58468711
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.708360365.00007FFA35B50000.00000040.00000001.sdmp, Offset: 00007FFA35B50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffa35b50000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ee0ec976285f4d70e33a902c82d6c583dfb7f77f567d1973868523c80493da86
                                      • Instruction ID: 54939d30e092c82a3865bcb4cda89ec764820d0afffa1fff5632534ae261f000
                                      • Opcode Fuzzy Hash: ee0ec976285f4d70e33a902c82d6c583dfb7f77f567d1973868523c80493da86
                                      • Instruction Fuzzy Hash: DDF09025A0D68A4FEB92AB6888551F8BBE1EF57350B1480FAC04CD7193DD2A5C59C712
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.708360365.00007FFA35B50000.00000040.00000001.sdmp, Offset: 00007FFA35B50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffa35b50000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8985ab09864129143baa6d0b5f6c9732709c48058d275c3340034e316ceeb3e7
                                      • Instruction ID: b04e1aea6fad1cf7930abdfc978055276f9f5512e4a91f6e03a2c2460492161c
                                      • Opcode Fuzzy Hash: 8985ab09864129143baa6d0b5f6c9732709c48058d275c3340034e316ceeb3e7
                                      • Instruction Fuzzy Hash: BEE02623E0CD2E0EE2B9A35CBC052F492C0EB4AA23B0881B3D90CD31C6FC06AC1002C2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.707817531.00007FFA35A80000.00000040.00000001.sdmp, Offset: 00007FFA35A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffa35a80000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2047b3f61c859e33b6188f09a886191be6bd29ac681c64cd81de0fd27fbdd73e
                                      • Instruction ID: b2a2d41dcc5c5b24d659a1dd80682d4e4f731388198a8efb159f53e5d74ee587
                                      • Opcode Fuzzy Hash: 2047b3f61c859e33b6188f09a886191be6bd29ac681c64cd81de0fd27fbdd73e
                                      • Instruction Fuzzy Hash: 50B10531E2CA8B4FD36CDB5C94855B1BBD0EF46710B1485BEC48EC7682EE26B8429780
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.707817531.00007FFA35A80000.00000040.00000001.sdmp, Offset: 00007FFA35A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffa35a80000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 382a946a4d190ad3d77b15683ad1e9bb1b9ff6bdb61263dcdea075c86050beba
                                      • Instruction ID: 5a70680fbf920b0a23d189795d8992c0822abfc37961d04702e5367d89168dea
                                      • Opcode Fuzzy Hash: 382a946a4d190ad3d77b15683ad1e9bb1b9ff6bdb61263dcdea075c86050beba
                                      • Instruction Fuzzy Hash: E8514932E1CA5A4FE72C9B2CA4855B67BD0EF87730B04817FC58EC7196DD2978459380
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.707817531.00007FFA35A80000.00000040.00000001.sdmp, Offset: 00007FFA35A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffa35a80000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fc3d226518ce672d9fb0c54de574428a2387142e4e9e554a1ee76bef61eb14d2
                                      • Instruction ID: 47427c37a0648ae42b280c256c4d01604b832460eb023c51cf9dcf11941c10f3
                                      • Opcode Fuzzy Hash: fc3d226518ce672d9fb0c54de574428a2387142e4e9e554a1ee76bef61eb14d2
                                      • Instruction Fuzzy Hash: B8414F46C1D2D31EE71A637CA8660E53F608F03778F1984B3D28D898E3FD0D68999266
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.708360365.00007FFA35B50000.00000040.00000001.sdmp, Offset: 00007FFA35B50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffa35b50000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8608345738d75149ead69d2306663b6b758beecd6dd11c987ddd176a40e2d673
                                      • Instruction ID: 94fcfd8b4637b422a376db27072b50b733b8f629596f7de832f556d76df7b2f0
                                      • Opcode Fuzzy Hash: 8608345738d75149ead69d2306663b6b758beecd6dd11c987ddd176a40e2d673
                                      • Instruction Fuzzy Hash: 2C118C5290EBC28FE3575B7888260B0BFB0AF1351070E45EBC0D88B5A3E90E0D49D7A3
                                      Uniqueness

                                      Uniqueness Score: -1.00%