Play interactive tour

Edit tour

Windows Analysis Report ADRecon-KPMG.ps1

Overview

General Information

Sample Name:	ADRecon-KPMG.ps1
Analysis ID:	436762
MD5:	6008e6c3deaa08fb420d5efd469590c6
SHA1:	1c55b3e2c62932213a57ffb8a223fb2a52b4d170
SHA256:	ac00dd7d54764e0389de434f3203c2a3384d2ffcc20615f40f09c4c0646c8d3f
Infos:
Most interesting Screenshot:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Opens network shares

Sigma detected: Suspicious Csc.exe Source File Folder

Compiles C# or VB.Net code

Contains capabilities to detect virtual machines

Contains functionality to detect virtual machines (SLDT)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

powershell.exe (PID: 6832 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -noLogo -ExecutionPolicy unrestricted -file 'C:\Users\user\Desktop\ADRecon-KPMG.ps1' MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 6848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 7120 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 4116 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES7143.tmp' 'c:\Users\user\AppData\Local\Temp\tfu5mvir\CSCED38EAF0BA2B44A19E4014561C643C3.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

csc.exe (PID: 2928 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 6228 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8066.tmp' 'c:\Users\user\AppData\Local\Temp\22kuy4qb\CSC73C42A17711C4AAFA64E46FCC8D6B36.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

csc.exe (PID: 6492 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 6452 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9074.tmp' 'c:\Users\user\AppData\Local\Temp\2hftzesj\CSC11820CB0636E4CAF90F043817D702019.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

csc.exe (PID: 5716 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 5688 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESABDB.tmp' 'c:\Users\user\AppData\Local\Temp\hmzbf4ad\CSCE214703DB10E47A0BDD59CF4E3CD48D.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: Suspicious Csc.exe Source File Folder

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -noLogo -ExecutionPolicy unrestricted -file 'C:\Users\user\Desktop\ADRecon-KPMG.ps1', ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6832, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.cmdline', ProcessId: 7120

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.dll	Avira: detection malicious, Label: HEUR/AGEN.1138338
Source: C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.dll	Avira: detection malicious, Label: HEUR/AGEN.1138338

Source:	Binary string: ement.Automation.pdbreP= source: powershell.exe, 00000000.00000002.697248073.000002D24268A000.00000004.00000020.sdmp
Source:	Binary string: e.pdb\| source: powershell.exe, 00000000.00000003.696098701.000002D25C7E5000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.DirectoryServices.pdb\u\ source: powershell.exe, 00000000.00000003.694667944.000002D25C6DC000.00000004.00000001.sdmp
Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000004.00000002.657005540.00000290C1170000.00000002.00000001.sdmp, csc.exe, 00000007.00000002.665233699.000001B15B230000.00000002.00000001.sdmp, csc.exe, 0000000A.00000002.678774607.000001EF6AFB0000.00000002.00000001.sdmp, csc.exe, 0000000C.00000002.691833971.0000020A557B0000.00000002.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.pdbXP source: powershell.exe, 00000000.00000002.701443333.000002D245066000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.pdb source: powershell.exe, 00000000.00000002.701443333.000002D245066000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000003.694999294.000002D25C755000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.pdb source: powershell.exe, 00000000.00000002.701654895.000002D24520C000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000003.694999294.000002D25C755000.00000004.00000001.sdmp
Source:	Binary string: \2b.pdb source: powershell.exe, 00000000.00000003.694836548.000002D25C733000.00000004.00000001.sdmp
Source:	Binary string: System.DirectoryServices.pdb source: powershell.exe, 00000000.00000003.696098701.000002D25C7E5000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.pdbd source: powershell.exe, 00000000.00000003.694999294.000002D25C755000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\System.Core.pdb source: powershell.exe, 00000000.00000003.694999294.000002D25C755000.00000004.00000001.sdmp
Source:	Binary string: adows\System.Core.pdb source: powershell.exe, 00000000.00000002.706309325.000002D25C7B6000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.pdbXP source: powershell.exe, 00000000.00000002.701535735.000002D245138000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.pdbXP source: powershell.exe, 00000000.00000002.701443333.000002D245066000.00000004.00000001.sdmp
Source:	Binary string: d.pdb source: powershell.exe, 00000000.00000003.694999294.000002D25C755000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.pdb source: powershell.exe, 00000000.00000002.701443333.000002D245066000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.pdb source: powershell.exe, 00000000.00000002.701513748.000002D245116000.00000004.00000001.sdmp
Source:	Binary string: System.Management.Automation.pdb-4437-8B11-F4 source: powershell.exe, 00000000.00000003.694999294.000002D25C755000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.pdbXP source: powershell.exe, 00000000.00000002.701654895.000002D24520C000.00000004.00000001.sdmp
Source:	Binary string: re.pdb source: powershell.exe, 00000000.00000003.694999294.000002D25C755000.00000004.00000001.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: powershell.exe, 00000000.00000002.706058883.000002D25C55A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000000.00000002.706464108.000002D25CAA8000.00000004.00000001.sdmp	String found in binary or memory: http://crl.m-Z
Source: powershell.exe, 00000000.00000002.706464108.000002D25CAA8000.00000004.00000001.sdmp	String found in binary or memory: http://crl.micr
Source: powershell.exe, 00000000.00000003.696345714.000002D25C5B3000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1	String found in binary or memory: http://dmcritchie.mvps.org/excel/colors.htm
Source: powershell.exe, 00000000.00000003.649772237.000002D254968000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.698312596.000002D24471F000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.698105161.000002D244511000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.698312596.000002D24471F000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1	String found in binary or memory: http://www.excelhowto.com/macros/formatting-a-range-of-cells-in-excel-vba/
Source: powershell.exe, 00000000.00000002.698312596.000002D24471F000.00000004.00000001.sdmp, powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1	String found in binary or memory: https://acsc.gov.au/infosec/ism/
Source: ADRecon-KPMG.ps1	String found in binary or memory: https://adsecurity.org/?p=440
Source: powershell.exe, 00000000.00000003.649772237.000002D254968000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000003.649772237.000002D254968000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000003.649772237.000002D254968000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: ADRecon-KPMG.ps1	String found in binary or memory: https://github.com/BloodHoundAD/BloodHound/blob/master/PowerShell/BloodHound.ps1
Source: powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1	String found in binary or memory: https://github.com/GoateePFE/GPLinkReport/blob/master/gPLinkReport.ps1
Source: powershell.exe, 00000000.00000002.698312596.000002D24471F000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: ADRecon-KPMG.ps1	String found in binary or memory: https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
Source: powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1	String found in binary or memory: https://github.com/kfosaaen/Get-LAPSPasswords/blob/master/Get-LAPSPasswords.ps1
Source: ADRecon-KPMG.ps1	String found in binary or memory: https://github.com/sense-of-security/ADRecon
Source: powershell.exe, 00000000.00000002.698312596.000002D24471F000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/sense-of-security/ADReconpp_B
Source: powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1	String found in binary or memory: https://github.com/vletoux/SmbScanner/blob/master/smbscanner.ps1
Source: powershell.exe, 00000000.00000002.705321526.000002D2460C6000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.705834814.000002D25482A000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: ADRecon-KPMG.ps1	String found in binary or memory: https://raw.githubusercontent.com/mmessano/PowerShell/master/dns-dump.ps1
Source: powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1	String found in binary or memory: https://tools.ietf.org/html/rfc4121#section-4.1)
Source: powershell.exe, 00000000.00000002.698312596.000002D24471F000.00000004.00000001.sdmp, powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1	String found in binary or memory: https://www.cisecurity.org/benchmark/microsoft_windows_server/
Source: powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1	String found in binary or memory: https://www.ibm.com/support/knowledgecenter/en/ssw_aix_71/com.ibm.aix.security/ad_password_attribute
Source: powershell.exe, 00000000.00000002.698312596.000002D24471F000.00000004.00000001.sdmp, powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1	String found in binary or memory: https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss
Source: ADRecon-KPMG.ps1	String found in binary or memory: https://www.senseofsecurity.com.au

System Summary:

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFA35A80CD0	0_2_00007FFA35A80CD0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFA35A820C8	0_2_00007FFA35A820C8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFA35A80D30	0_2_00007FFA35A80D30

Source: 22kuy4qb.dll.7.dr	Static PE information: No import functions for PE file found
Source: 2hftzesj.dll.10.dr	Static PE information: No import functions for PE file found
Source: hmzbf4ad.dll.12.dr	Static PE information: No import functions for PE file found
Source: tfu5mvir.dll.4.dr	Static PE information: No import functions for PE file found

Source: classification engine

Classification label: mal56.spyw.winPS1@18/34@0/0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20210618

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6848:120:WilError_01

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rorwv0kw.kes.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -noLogo -ExecutionPolicy unrestricted -file 'C:\Users\user\Desktop\ADRecon-KPMG.ps1'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES7143.tmp' 'c:\Users\user\AppData\Local\Temp\tfu5mvir\CSCED38EAF0BA2B44A19E4014561C643C3.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8066.tmp' 'c:\Users\user\AppData\Local\Temp\22kuy4qb\CSC73C42A17711C4AAFA64E46FCC8D6B36.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9074.tmp' 'c:\Users\user\AppData\Local\Temp\2hftzesj\CSC11820CB0636E4CAF90F043817D702019.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESABDB.tmp' 'c:\Users\user\AppData\Local\Temp\hmzbf4ad\CSCE214703DB10E47A0BDD59CF4E3CD48D.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.cmdline'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES7143.tmp' 'c:\Users\user\AppData\Local\Temp\tfu5mvir\CSCED38EAF0BA2B44A19E4014561C643C3.TMP'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8066.tmp' 'c:\Users\user\AppData\Local\Temp\22kuy4qb\CSC73C42A17711C4AAFA64E46FCC8D6B36.TMP'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9074.tmp' 'c:\Users\user\AppData\Local\Temp\2hftzesj\CSC11820CB0636E4CAF90F043817D702019.TMP'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESABDB.tmp' 'c:\Users\user\AppData\Local\Temp\hmzbf4ad\CSCE214703DB10E47A0BDD59CF4E3CD48D.TMP'	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: ement.Automation.pdbreP= source: powershell.exe, 00000000.00000002.697248073.000002D24268A000.00000004.00000020.sdmp
Source:	Binary string: e.pdb\| source: powershell.exe, 00000000.00000003.696098701.000002D25C7E5000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.DirectoryServices.pdb\u\ source: powershell.exe, 00000000.00000003.694667944.000002D25C6DC000.00000004.00000001.sdmp
Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000004.00000002.657005540.00000290C1170000.00000002.00000001.sdmp, csc.exe, 00000007.00000002.665233699.000001B15B230000.00000002.00000001.sdmp, csc.exe, 0000000A.00000002.678774607.000001EF6AFB0000.00000002.00000001.sdmp, csc.exe, 0000000C.00000002.691833971.0000020A557B0000.00000002.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.pdbXP source: powershell.exe, 00000000.00000002.701443333.000002D245066000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.pdb source: powershell.exe, 00000000.00000002.701443333.000002D245066000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000003.694999294.000002D25C755000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.pdb source: powershell.exe, 00000000.00000002.701654895.000002D24520C000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000003.694999294.000002D25C755000.00000004.00000001.sdmp
Source:	Binary string: \2b.pdb source: powershell.exe, 00000000.00000003.694836548.000002D25C733000.00000004.00000001.sdmp
Source:	Binary string: System.DirectoryServices.pdb source: powershell.exe, 00000000.00000003.696098701.000002D25C7E5000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.pdbd source: powershell.exe, 00000000.00000003.694999294.000002D25C755000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\System.Core.pdb source: powershell.exe, 00000000.00000003.694999294.000002D25C755000.00000004.00000001.sdmp
Source:	Binary string: adows\System.Core.pdb source: powershell.exe, 00000000.00000002.706309325.000002D25C7B6000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.pdbXP source: powershell.exe, 00000000.00000002.701535735.000002D245138000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.pdbXP source: powershell.exe, 00000000.00000002.701443333.000002D245066000.00000004.00000001.sdmp
Source:	Binary string: d.pdb source: powershell.exe, 00000000.00000003.694999294.000002D25C755000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.pdb source: powershell.exe, 00000000.00000002.701443333.000002D245066000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.pdb source: powershell.exe, 00000000.00000002.701513748.000002D245116000.00000004.00000001.sdmp
Source:	Binary string: System.Management.Automation.pdb-4437-8B11-F4 source: powershell.exe, 00000000.00000003.694999294.000002D25C755000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.pdbXP source: powershell.exe, 00000000.00000002.701654895.000002D24520C000.00000004.00000001.sdmp
Source:	Binary string: re.pdb source: powershell.exe, 00000000.00000003.694999294.000002D25C755000.00000004.00000001.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.cmdline'	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFA35A81A97 push esi; retf	0_2_00007FFA35A81A9A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFA35A81B65 push eax; retf	0_2_00007FFA35A81B69
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFA35A81D55 pushfd ; retf	0_2_00007FFA35A81D6A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFA35A80F7D push ebp; retf	0_2_00007FFA35A80F82
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFA35A81B85 pushad ; retf	0_2_00007FFA35A81B89
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFA35A83F0D push es; iretd	0_2_00007FFA35A83F22
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFA35A87F17 push ebx; ret	0_2_00007FFA35A87F1A

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.dll	Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 0_2_00007FFA35B50FD1 sldt word ptr [eax]

0_2_00007FFA35B50FD1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5144			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3685			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.dll	Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6992

Thread sleep time: -3689348814741908s >= -30000s

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: powershell.exe, 00000000.00000002.706470844.000002D25CC20000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: powershell.exe, 00000000.00000002.698312596.000002D24471F000.00000004.00000001.sdmp	Binary or memory string: BUILTIN\Hyper-V Administrators
Source: powershell.exe, 00000000.00000003.696098701.000002D25C7E5000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-2125563209-4053062332-1002_Classes\TypeLib\{97d25db0-0363-11cf-abc4-02608c9e7553}\1.0\409n64
Source: powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1	Binary or memory string: 'S-1-5-32-578' { 'BUILTIN\Hyper-V Administrators' }
Source: powershell.exe, 00000000.00000002.706470844.000002D25CC20000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: powershell.exe, 00000000.00000002.706470844.000002D25CC20000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: powershell.exe, 00000000.00000002.706470844.000002D25CC20000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.cmdline'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES7143.tmp' 'c:\Users\user\AppData\Local\Temp\tfu5mvir\CSCED38EAF0BA2B44A19E4014561C643C3.TMP'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8066.tmp' 'c:\Users\user\AppData\Local\Temp\22kuy4qb\CSC73C42A17711C4AAFA64E46FCC8D6B36.TMP'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9074.tmp' 'c:\Users\user\AppData\Local\Temp\2hftzesj\CSC11820CB0636E4CAF90F043817D702019.TMP'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESABDB.tmp' 'c:\Users\user\AppData\Local\Temp\hmzbf4ad\CSCE214703DB10E47A0BDD59CF4E3CD48D.TMP'	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Opens network shares

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: \\computer*\MAILSLOT\NET\NETLOGON			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: \\computer*\MAILSLOT\NET\NETLOGON			Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Path Interception	Process Injection11	Masquerading1	OS Credential Dumping	Network Share Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion51	LSASS Memory	Query Registry1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection11	Security Account Manager	Security Software Discovery21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Virtualization/Sandbox Evasion51	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery22	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ADRecon-KPMG.ps1	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.dll	100%	Avira	HEUR/AGEN.1138338
C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.dll	100%	Avira	HEUR/AGEN.1138338

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://crl.microsoft	0%	URL Reputation	safe
http://crl.microsoft	0%	URL Reputation	safe
http://crl.microsoft	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://raw.githubusercontent.com/mmessano/PowerShell/master/dns-dump.ps1	0%	Avira URL Cloud	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://www.excelhowto.com/macros/formatting-a-range-of-cells-in-excel-vba/	0%	Avira URL Cloud	safe
https://acsc.gov.au/infosec/ism/	0%	Avira URL Cloud	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
http://crl.micr	0%	URL Reputation	safe
http://crl.micr	0%	URL Reputation	safe
http://crl.micr	0%	URL Reputation	safe
http://crl.m-Z	0%	Avira URL Cloud	safe
https://www.senseofsecurity.com.au	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000003.649772237.000002D254968000.00000004.00000001.sdmp	false		high
https://github.com/sense-of-security/ADReconpp_B	powershell.exe, 00000000.00000002.698312596.000002D24471F000.00000004.00000001.sdmp	false		high
https://github.com/vletoux/SmbScanner/blob/master/smbscanner.ps1	powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.698312596.000002D24471F000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.microsoft	powershell.exe, 00000000.00000003.696345714.000002D25C5B3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.698312596.000002D24471F000.00000004.00000001.sdmp	false		high
https://go.micro	powershell.exe, 00000000.00000002.705321526.000002D2460C6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://raw.githubusercontent.com/mmessano/PowerShell/master/dns-dump.ps1	ADRecon-KPMG.ps1	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000000.00000003.649772237.000002D254968000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://adsecurity.org/?p=440	ADRecon-KPMG.ps1	false		high
https://contoso.com/Icon	powershell.exe, 00000000.00000003.649772237.000002D254968000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.excelhowto.com/macros/formatting-a-range-of-cells-in-excel-vba/	powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1	false	Avira URL Cloud: safe	unknown
http://dmcritchie.mvps.org/excel/colors.htm	powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1	false		high
https://github.com/GoateePFE/GPLinkReport/blob/master/gPLinkReport.ps1	powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1	false		high
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.698312596.000002D24471F000.00000004.00000001.sdmp	false		high
https://acsc.gov.au/infosec/ism/	powershell.exe, 00000000.00000002.698312596.000002D24471F000.00000004.00000001.sdmp, powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1	false	Avira URL Cloud: safe	unknown
https://github.com/BloodHoundAD/BloodHound/blob/master/PowerShell/BloodHound.ps1	ADRecon-KPMG.ps1	false		high
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1	ADRecon-KPMG.ps1	false		high
https://tools.ietf.org/html/rfc4121#section-4.1)	powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1	false		high
https://contoso.com/	powershell.exe, 00000000.00000003.649772237.000002D254968000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.705834814.000002D25482A000.00000004.00000001.sdmp	false		high
https://www.ibm.com/support/knowledgecenter/en/ssw_aix_71/com.ibm.aix.security/ad_password_attribute	powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1	false		high
https://www.cisecurity.org/benchmark/microsoft_windows_server/	powershell.exe, 00000000.00000002.698312596.000002D24471F000.00000004.00000001.sdmp, powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1	false		high
https://github.com/sense-of-security/ADRecon	ADRecon-KPMG.ps1	false		high
http://crl.micr	powershell.exe, 00000000.00000002.706464108.000002D25CAA8000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.698105161.000002D244511000.00000004.00000001.sdmp	false		high
https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss	powershell.exe, 00000000.00000002.698312596.000002D24471F000.00000004.00000001.sdmp, powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1	false		high
http://crl.m-Z	powershell.exe, 00000000.00000002.706464108.000002D25CAA8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.senseofsecurity.com.au	ADRecon-KPMG.ps1	false	Avira URL Cloud: safe	unknown
https://github.com/kfosaaen/Get-LAPSPasswords/blob/master/Get-LAPSPasswords.ps1	powershell.exe, 00000000.00000003.645279942.000002D25CA81000.00000004.00000001.sdmp, ADRecon-KPMG.ps1	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	436762
Start date:	18.06.2021
Start time:	15:29:57
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ADRecon-KPMG.ps1
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal56.spyw.winPS1@18/34@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 14 Number of non-executed functions: 4
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .ps1 Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Execution Graph export aborted for target powershell.exe, PID 6832 because it is empty Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtSetInformationFile calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/436762/sample/ADRecon-KPMG.ps1

Simulations

Behavior and APIs

Time	Type	Description
15:30:45	API Interceptor	40x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	17949
Entropy (8bit):	4.998762997516168
Encrypted:	false
SSDEEP:	384:Awib4LEVoGIpN6KQkj2jkjh4iUxLzv0ifOdBVNXp5CYoY4Qib4w:AEEV3IpNBQkj22h4iUxLzv0ifOdBVNZw
MD5:	BA27C7CD4B91D42164C0D41B8CB77AF5
SHA1:	D39DCE142D49FB1B059F966A3D15861691D03D79
SHA-256:	5F4B9E6C824ED7397D5B0CE093B4162AEB4D2627779423DE4960AF7F395F1C07
SHA-512:	2B9524B0BB94DECC7C464A4DB88241F4FD62F22D9DDB217D0735715D935C0BD7FA60D2B02628025787D8D19E38153EAF887B7AEA24F2516ADE1A0019FE2D75AA
Malicious:	false
Reputation:	low
Preview:	PSMODULECACHE.............S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script..........Y.....C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	5.343226012152825
Encrypted:	false
SSDEEP:	24:3vQPpQrLAo4KAxX5qRPD42HOoFe9t4CvKuKnKzOaBPnXF8PQ9fT:oPerB4nqRL/HvFe9t4Cv94vOfV8Y9fT
MD5:	A24C10403F187961D1B171A952190A71
SHA1:	2D4397D0677F98F4DD7B105F2860970DE13C8774
SHA-256:	9ECA12CD874FD2BEC7CAFE7A7D532B10C299D771F859A03D72ACB62448801965
SHA-512:	CCC20614D003810224A9CAEA2AA6F66833A868C1480FE7B33902B6E92A276036A636311ED43CA359A8E3E2A9A5FB99DFF3381B5F04BF62C80A8E7CDAE811665F
Malicious:	false
Reputation:	low
Preview:	@...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	C++ source, UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	234
Entropy (8bit):	4.837953277416018
Encrypted:	false
SSDEEP:	3:V/DsIWMLCI53eqIusd81AWVEGWL48zzbAYvw/4JiiwMQZShrAoVS2GFR8KA59LRu:V/DsYLDS81zuzxpMIQQAos2SRMDk5Yy
MD5:	5AB5FA2642C9CCAE71FDEC4667005473
SHA1:	84B8886F7C7FDC6D93CC4149D22C9E418A39FFE0
SHA-256:	D2F2F4F21B69D20180DF77295EBB281B055C64445080F6FFB5294A99DCE25209
SHA-512:	802613B2ED38D24F6B0902479B5A00EB5DC64442206E8A122F8FB812CB720C167DEB47675BA7CA48E043BC352F149AA0A5F0AE508239B3189EBA0D5208E1E25B
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace ADRecon.{. public class Kernel32. {. [DllImport("kernel32.dll", SetLastError = true)]. public static extern bool CloseHandle(IntPtr hObject);.. }..}.

C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.31832960082016
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fDYzxs7+AEszIwkn23fDV:p37Lvkmb6KRf8WZEifZ
MD5:	176C076F99A7E4735B66BF8158F4B920
SHA1:	8D2468F1B0179F306A00303135ABC1895D39F9E4
SHA-256:	39E9CA68598843E2E14F80DF91548203564B65DC722AC2FBDB4CD43D36C5E6B4
SHA-512:	F6D4F6A285876D09DD4EC548C77B864B7AEA09DD27D1FAAC708AA8F1CC0E25F1B3502D0168FF44545B345688ACEA6C46A82B79D2D7429F2B548202B40DAFF238
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.0.cs"

C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.723126896976699
Encrypted:	false
SSDEEP:	24:etGSm/BepxLd84fLzmkup4PtkZfwlrjOcUxbI+ycuZhNIakS0PNnq:6l24vhuCuJQ3dKb1ulIa3Uq
MD5:	A5A124DCA07A1D0A3CC466C2E9111D86
SHA1:	BE6A85F0D4616F13402C52B23D19E247D8B6AF69
SHA-256:	A1EFF5D01E8107BDEABCBAFDFC31AC4A6B24268C9C1C15EF3C4653273383EC29
SHA-512:	98B7070F7C94A4578CCDB6737986CBA54A93FA288FE06BD8A63FE7C15130BF487F521C936AAA168F8DE249EA8F98DD1A62A4AF3DFB7401FA695A78CC5588F08A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`...........!................~#... ...@....... ....................................@.................................$#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l.......#~..l.......#Strings....l.......#US.t.......#GUID.......H...#Blob...........G.........%3............................................................8.1...y.Y.....Y........................... .............. ?.....P ......K.........Q...K.....K...!.K.....K.............&...@...?.......................................(..........<Module>.22kuy4qb.dll.Kernel32.ADRecon.mscorlib.System.Object.CloseHandle..ctor.hObject.System.Runtime.CompilerServ

C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\22kuy4qb\CSC73C42A17711C4AAFA64E46FCC8D6B36.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.121262308944385
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryWak7Ynqq0PN5Dlq5J:+RI+ycuZhNIakS0PNnqX
MD5:	0F8C0392277BDD37F716D58A8B4A7EF6
SHA1:	7B4CB4DB53A0E1F91DB6AE3E6F780E01845D0B48
SHA-256:	D2ACB274EFA01F58CDD21A1D4C5F4823804EE655CDA9F7136B0BB5E999BDB1B8
SHA-512:	0AE97087157E54E24473A3AFB4751C6E60F2EFB3EC69DCEB28B2B21CE0DE06B175EB4F1B3F33C68ED1D4C2398DBA5F41C85390F258190969A6E6DD12214658DC
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...2.2.k.u.y.4.q.b...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...2.2.k.u.y.4.q.b...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	C++ source, UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	13616
Entropy (8bit):	5.3056667837640115
Encrypted:	false
SSDEEP:	384:iHVYrVarE2xnsHcC6qPuNSFEMSM1PuNGlLn:U2rUrrxnycC6qPuNSFEMSM1PuNGlLn
MD5:	743B6837C85645CD2325F6295ACF2386
SHA1:	EB31A36D045BEA8DCB4813209B9C4100F0A6A546
SHA-256:	1E93A153ED55B119F7B5BF756BD9560D010B43C35F10BD6CDC010294555B7E8A
SHA-512:	B132383BD091E8EE7E0749E0490626BD68FDCB51A05F81FF5D9DA1022E85632A6FE5AB2EAA5441DDBA99AAFF7D1232A21358BF45F32910F9FDAC591EAA5973F3
Malicious:	false
Preview:	.using System;.using System.Collections.Generic;.using System.Diagnostics;.using System.IO;.using System.Net;.using System.Net.Sockets;.using System.Text;.using System.Runtime.InteropServices;.using System.Management.Automation;..namespace ADRecon.{. public class PingCastleScannersSMBScanner..{. [StructLayout(LayoutKind.Explicit)]...struct SMB_Header {....[FieldOffset(0)]....public UInt32 Protocol;....[FieldOffset(4)]....public byte Command;....[FieldOffset(5)]....public int Status;....[FieldOffset(9)]....public byte Flags;....[FieldOffset(10)]....public UInt16 Flags2;....[FieldOffset(12)]....public UInt16 PIDHigh;....[FieldOffset(14)]....public UInt64 SecurityFeatures;....[FieldOffset(22)]....public UInt16 Reserved;....[FieldOffset(24)]....public UInt16 TID;....[FieldOffset(26)]....public UInt16 PIDLow;....[FieldOffset(28)]....public UInt16 UID;....[FieldOffset(30)]....public UInt16 MID;...};...// https://msdn.microsoft.com/en-us/library/cc246529.aspx...[StructLayout(Layo

C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.256825968064545
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23f8EomJ+zxs7+AEszIwkn23f8EoE:p37Lvkmb6KRfUnm0WZEifUnE
MD5:	52D2020F824BFFFCF8FA851F9137F242
SHA1:	C39D8930902B0F7EB410D97AEF252D474F701F4E
SHA-256:	DC4C5D79BAD326DCF661F855AD7EDBA2855F83C1856725DA969F35D0FA3454D9
SHA-512:	90EF6A0670DD33C3FFF0CC3F2F46FFC512EE917758A7654A43678E9942BECDB38AA569456A6AD5B2BBD8123C5631A626B86580A113D19901F4F31C3E001B274D
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.0.cs"

C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	8704
Entropy (8bit):	4.701567451343365
Encrypted:	false
SSDEEP:	96:4YK11I8aDmU9aTst2fHY+Zh2pIZprrM6OE88mYtdo1uaDgzrkK:4h1q8aDDaT2mX2pIZXOE8R49
MD5:	02C3F9DB30B0FE59996CBCD79D854A85
SHA1:	1159A8E8727972C021566F7E2E877B610F17ED88
SHA-256:	1DD4080F108330F61D45B0FF6A4C55EA8D24EC0ACA8564CC2D93DC604563BBD6
SHA-512:	EB4E44B607D610DFD47981A74FF217B231DE557094F412CC513F8758F7D19B2808EDAA3ED9C93E09917A476BE2FDBB1F52E20B87A8AA3656E6B8B7D49D09F729
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`...........!.................9... ...@....... ....................................@..................................8..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................0.................... .SMB}.......}.......}........}...... S...}.......}.......j}.......}...... ....}...... ....}.......}.......}..........(.......0..N................. .SMB}.......}.......@}.......}.......j}!..... ....}".........(.......0...........(.............(........(........(.....(........0..1.......(.....o.......i.X.............i.Y........i(.........0..(.........i.X..............i...........i(.....*.0..B..................$}'......}(......}).....(....},.......}..........

C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\2hftzesj\CSC11820CB0636E4CAF90F043817D702019.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1071360149671294
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryUak7YnqqKPN5Dlq5J:+RI+ycuZhNCakSKPNnqX
MD5:	44E986B8AAD9FFD50CD101E9DD5B6728
SHA1:	48CC9AC9E56EDAA75D578996E60493D3063D3E53
SHA-256:	7C2413A76FA94E6C2090DC732D310D21A1DAFEEB0639D056FD3E63F5FC803A32
SHA-512:	80EA411E81C9B849F57ED1E11D5DA08EC7B9DACA89E240EB4034D6B8FDD1877012ECC2EFA746311018EC603EF20947BB395AEC5435DAF7C13C8B7CB81CE6D0F2
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...2.h.f.t.z.e.s.j...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...2.h.f.t.z.e.s.j...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\RES7143.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2188
Entropy (8bit):	2.70357239212724
Encrypted:	false
SSDEEP:	24:bZfNg9DfHwhKEsmNfI+ycuZhNOakSGPNnq92pkzW9I:bBKByKhm91ulOa36q9P
MD5:	BED4D3DD1EECAE4A56069079E3A22F06
SHA1:	56E3BB98596991255DE4E800CC808782852310B2
SHA-256:	C0415E86A5701C2FDA63CD7E3BC7351063FB8E8023F15084D242041D65808C49
SHA-512:	AD74B8C42DCE886AD1FE19C8FCA91B1057D913724A1DC8E0280BA93212A615016ADF76E1D16B7AB48FC8BD3F30F1D6FA7B5EA86E793679DFDE3FA95CA58B8550
Malicious:	false
Preview:	........S....c:\Users\user\AppData\Local\Temp\tfu5mvir\CSCED38EAF0BA2B44A19E4014561C643C3.TMP..................Y.l).<,.].\.o..........4.......C:\Users\user\AppData\Local\Temp\RES7143.tmp.-.<...................'...Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RES8066.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2188
Entropy (8bit):	2.722320580709945
Encrypted:	false
SSDEEP:	24:bZfkJ/E11DfHdZFhKEsmNfI+ycuZhNIakS0PNnq92pYzW9I:bBA/e9ZzKhm91ulIa3Uq9D
MD5:	1BFBF76506BF3D4D68E534F9C4E351FE
SHA1:	5F3EED484CBE7B861F8C2F0AC70D2D1DB31F9730
SHA-256:	8674880573B963387D4DAE64C1CFE8069FDC42E547D2933D93E94C3F508E0F2E
SHA-512:	AD32F48F2C2AECE9A846AC9601C47352D30CEFE0AB4384EB13B9A75852BC2B3ACA6C9259F68E9E9127058C2A679D0EE40372B9251B946876C62F6758C1532B55
Malicious:	false
Preview:	........S....c:\Users\user\AppData\Local\Temp\22kuy4qb\CSC73C42A17711C4AAFA64E46FCC8D6B36.TMP....................'{.7....J~...........4.......C:\Users\user\AppData\Local\Temp\RES8066.tmp.-.<...................'...Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RES9074.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2188
Entropy (8bit):	2.707574666950414
Encrypted:	false
SSDEEP:	24:p+fUr8DfHfhKEsmNfI+ycuZhNCakSKPNnq92pjYzW9I:cWqZKhm91ulCa3mq96O
MD5:	7C57D7F34F9D380B672830DC1B7E9A88
SHA1:	7ABC4256F883842A5BC8561E6C22348ADAFA15EF
SHA-256:	1CB4785FFC74F265B1084B08F825D2B6D1D4296208808469A44B355FD8F466FF
SHA-512:	4BE5CE1CC32FAD8D82760562E74916EFF0765AA3C919F2016CE1BC458F67883A2DB05695ED973B6FBF2D4FE16D34FEFB0124DC3A765F6BB73A5DEBD392B97FD6
Malicious:	false
Preview:	........T....c:\Users\user\AppData\Local\Temp\2hftzesj\CSC11820CB0636E4CAF90F043817D702019.TMP...............D..........[g(..........4.......C:\Users\user\AppData\Local\Temp\RES9074.tmp.-.<...................'...Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RESABDB.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2188
Entropy (8bit):	2.7083990416814956
Encrypted:	false
SSDEEP:	24:bZfiv8DfHIhKEsmNfI+ycuZhNeHakSZQPNnq92pdzW9I:bBrqKhm91uleHa3ZIq96
MD5:	E16E4DD16D0700CAC7A48D2A4C2AC839
SHA1:	46B197721AC618249EBA620C3647E855E74FC9E4
SHA-256:	EF5A342E3FFE2058FB0733765430BF78D8DA073B9FCD391AAEBAF4F9D0D8F194
SHA-512:	54E714FCF227EC7073E193041D71F81110684387401229934BABB73904FA1327965807CB0B13489E92499749B734876B221A958249D1DDE0CF757AF8CA7889AD
Malicious:	false
Preview:	........S....c:\Users\user\AppData\Local\Temp\hmzbf4ad\CSCE214703DB10E47A0BDD59CF4E3CD48D.TMP..................wA....i`....y...........4.......C:\Users\user\AppData\Local\Temp\RESABDB.tmp.-.<...................'...Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_divvbyll.vrx.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rorwv0kw.kes.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\hmzbf4ad\CSCE214703DB10E47A0BDD59CF4E3CD48D.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1014328811937397
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryONHak7YnqqjNQPN5Dlq5J:+RI+ycuZhNeHakSZQPNnqX
MD5:	FF7F774186CD06E469601E8CD30D79F5
SHA1:	C202AB5CF8CD4A2C910A11679599F8070971F499
SHA-256:	848EE362B93C735AD8309AD654A5CFF326DFD43C05ED9A9B0067D73E6419F50C
SHA-512:	8FB2FC7C2E864F44A17A53193CE40F2120105F01455613B353C16E711256587A8AC85B75EC4FE69E3938C37CCE71A04197FFFFB796E73ED3E8142CB9D90AB5D6
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...h.m.z.b.f.4.a.d...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...h.m.z.b.f.4.a.d...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	C++ source, UTF-8 Unicode (with BOM) text, with very long lines
Category:	dropped
Size (bytes):	82692
Entropy (8bit):	4.386560180163499
Encrypted:	false
SSDEEP:	768:5KUrYWYxYDFQLsTExaJJ7tsThgDU2AXMIVaIIVLT:5KOYWYxYDW9apslgg2AHa7LT
MD5:	1FC273B23EB699DE4CD1B2B488F3FE07
SHA1:	311D784EDFA828EE04A2B57AC308704960097156
SHA-256:	5576585B2F3493D027C946DEA0B45172C09B3ABD46675CBD56F4CD0C10ED71B0
SHA-512:	A54C18F404E83DDD5FEC5861682B109AD8E34A97833FCAC427A76C7FE42D32AB24197F6A7B00697E5ECB3FF554D9EE7D3D6A2140F2BA157E8216CFB3B5D3E74A
Malicious:	false
Preview:	.// Thanks Dennis Albuquerque for the C# multithreading code.using System;.using System.Collections;.using System.Collections.Generic;.using System.Linq;.using System.Net;.using System.Threading;.using System.DirectoryServices;.using System.Security.Principal;.using System.Security.AccessControl;.using System.Management.Automation;..namespace ADRecon.{. public static class LDAPClass. {. private static DateTime Date1;. private static int PassMaxAge;. private static int DormantTimeSpan;. private static Dictionary<String, String> AdGroupDictionary = new Dictionary<String, String>();. private static String DomainSID;. private static Dictionary<String, String> AdGPODictionary = new Dictionary<String, String>();. private static Hashtable GUIDs = new Hashtable();. private static Dictionary<String, String> AdSIDDictionary = new Dictionary<String, String>();. private static readonly HashSet<string> Groups = new HashSet<strin

C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	502
Entropy (8bit):	5.293414896955437
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6KOkuqZbA3S7bAswkn23f37Uzxs7+AEszIwkn29:p37Lvkmb6KOkB8e8Pf/4WZEif/1
MD5:	2FEDE92D7F1B1F699784E0ECF371E154
SHA1:	90153D6E8B00C6CA60F08A4235EB209F2C4C939B
SHA-256:	84BCBFD6A2BE0BCE427090FE9376CA364998F59A65D859C89807AF306ADA5099
SHA-512:	72409186636F42861377D13097597263FC9656E14CDE2B342BD134F35DFC4074D3FBCE8C49F54F9DF66ED0925993DBD8A45706CA2B8722D1D1942E0F1CA4A9AB
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll" /out:"C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.0.cs"

C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	37888
Entropy (8bit):	5.108047151608629
Encrypted:	false
SSDEEP:	768:gdCrM0agt1pL1ZAGwZ+ATQpUvX1vNTd/pVf5/t3tK68RPDhB0yq8QoP:gdCrM0agDQ+qSDhCyaa
MD5:	0DB8B192DB985041BF78C7041B5103FC
SHA1:	A146F812CABBD8667B9826BFA4324708731BBDD3
SHA-256:	4EEC9CB7480D08799686A0F117458D33124F9951F551469A4E0720F86F6248CE
SHA-512:	C8082701A9F85280DB9CC6006990D3FBAF5059C4CE98A757181DB061563B50025D68949548251D7C7898ABA0DF5306FD9C061260E63441FB18F02B26BA4EBEDB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`...........!................N.... ........... ....................................@.....................................K.................................................................................... ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.................0..`.......r...p.(......o....(.....~....o....o.....+...(.......~.....o....o.......(....-...........o............(.(P.........i....0..B..............+.....t......o....r...po....o.....3..........X......i2......0.."............................r=..p(.........0............rI..p(........0............r[..p(........0..,.......s...........ri..p(....&........r...p(.......0............r...p(........0............r...p(........0..&.......s...........r...p(....&..r...p(......*...0......

C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\tfu5mvir\CSCED38EAF0BA2B44A19E4014561C643C3.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.097603255426555
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grygioak7Ynqqpi9PN5Dlq5J:+RI+ycuZhNOakSGPNnqX
MD5:	F5B459ECA66C29113C2CDB5DC65CCA6F
SHA1:	94A8C9D1BF6B630885DA715D705E183FE5790D99
SHA-256:	1DE6EF62B3720C1DA82C8F213B7CC6A0BCB2D875FBE6AA8B4F115EFDA222A8D4
SHA-512:	212500CDA11970FC22A79AF91157566D77E1F82B2B077ED2C39F756FA187E4B7A9154EE4989D6A9A3510A70E3FC4D66626CB27366F7432023237EFB2C9942C79
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...t.f.u.5.m.v.i.r...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...t.f.u.5.m.v.i.r...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	C++ source, UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	559
Entropy (8bit):	4.921580670118331
Encrypted:	false
SSDEEP:	12:V/DTLDfuzog9NAD1YbpJj6e2OthNADSINADtiOy:JjmzogKI3l2HSzIOy
MD5:	5CB55CC81CBFE307FEA693A618521A0B
SHA1:	B2FA5B07B649AB7C0028A7FBCB5EF3141342BA7A
SHA-256:	39F7CA91E94D19767C7DB10E0CBA0788B2349676DE29FA2B766B860334A93A3F
SHA-512:	2122D115E19584679B86C1669184CCACDB265CAEFBA4B306030473976A84325D2A31D09257D5F0504CABAC9EAC70A3749D87DEE1B18B543526C6522D05224B4F
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace ADRecon.{. public class Advapi32. {. [DllImport("advapi32.dll", SetLastError = true)]. public static extern bool LogonUser(string lpszUsername, string lpszDomain, string lpszPassword, int dwLogonType, int dwLogonProvider, out IntPtr phToken);.. [DllImport("advapi32.dll", SetLastError = true)]. public static extern bool ImpersonateLoggedOnUser(IntPtr hToken);.. [DllImport("advapi32.dll", SetLastError = true)]. public static extern bool RevertToSelf();.. }..}.

C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.2161732279303195
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23ftBUzxs7+AEszIwkn23ftbn:p37Lvkmb6KRfYWZEifV
MD5:	9FD0ABE39ED93E903448D882648F9C11
SHA1:	B46C59D7A63A5168AE5FCD8A26EF5D077F35F5B9
SHA-256:	5C73ADABE15A4E58A4A6AE49F5C562A7732AEE52DD1A98C54F99B5DE77977AA9
SHA-512:	F7533693F5736495298101EC042796EEF16FD691AADDAEE892B05D9C788AAFF3A5648792324D30796A3C876892531B3D73DFD12CB38AB4308725C73539F5DF6F
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.0.cs"

C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.7564915970140667
Encrypted:	false
SSDEEP:	24:etGS6MhW2oe/yEC3Q5/YWp0Wd4LC62kM4tkZf0Rjtxw7I+ycuZhNOakSGPNnq:6zR7CAyWJkMvJ0RjXy1ulOa36q
MD5:	A665FB3D3C183FE441445EFC58D0E9CF
SHA1:	6B25ABC60A0C37A493219FADC148E0A0F7B00240
SHA-256:	AF9722A13043902F337FCACF8D9387A654D22BF4AFB3EBF7A4A649B8A03EA9E0
SHA-512:	81F63BBF98B7C0DC89A90BD3AAD2B67A470AD9123A1E384797F620E06EB6797819B46848530D496FE6AB9006403B19CEAAC6CEFDA21160DAD7039EF53C071E3E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`...........!................^$... ...@....... ....................................@..................................$..W....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...\...#~......x...#Strings....@.......#US.H.......#GUID...X...T...#Blob...........G.........%3............................................................8.1...............0.....W....................... .............. ?............ I............ a.....P ......n.........t.......................................n.....n.".!.n...).n.'...n.......,.....5.j.@...?...@...I...@...a.....................N.................(..........<Module>.tfu5mvir.dll.A

C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\37EHO8F82PQCUKVGOBYU.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6205
Entropy (8bit):	3.761457724376558
Encrypted:	false
SSDEEP:	96:kPEG9mBX60CO+S/qdkvhkvCCtrXn3H8Xn3HV:UEG9mBcPJr8V
MD5:	DC270A2232DEA69AB1E3ADB526E7089E
SHA1:	37A5D67AC587B4DC2A36CE0F1F1FFD06C6C411CA
SHA-256:	5AE0312FE75CAC2C1E2F579A867DE10DC8AA597CD4627280A562079A7BDC08A5
SHA-512:	BC3220936AD072874C7CF7258BB17CC2940E30811C8093C38F540448BFBFCC5F98AA683CF4BACC7BC0A68976EB52D8BCBBC733FDAE2AE5DC0257D47CD8AB2B3D
Malicious:	false
Preview:	...................................FL..................F.".. ....J...-...rt^.`..\.................................:..DG..Yr?.D..U..k0.&...&...........-..a..S....d.."Fd......t...CFSF..1......N....AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......N...R.k.....Y....................yN\|.A.p.p.D.a.t.a...B.V.1......N....Roaming.@.......N...R.k.....Y.....................K..R.o.a.m.i.n.g.....\.1.....>Q.;..MICROS~1..D.......N...R.k.....Y.....................sJ.M.i.c.r.o.s.o.f.t.....V.1.....>Q{<..Windows.@.......N...R.k.....Y......................Q.W.i.n.d.o.w.s.......1......N....STARTM~1..n.......N..>Q.;.....Y..............D.....6...S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......P.S..Programs..j.......N..>Q.;.....Y..............@........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......L...WINDOW~1..V.......N..>QZ7.....Y....................T_..W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......L.. .WINDOW~1.LNK..^.......N...P3Q.....Y..........

C:\Users\user\Documents\20210618\PowerShell_transcript.134349.jqYok04J.20210618153043.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1537
Entropy (8bit):	5.233932318873786
Encrypted:	false
SSDEEP:	48:BZ7vj0oORT89dqDYB1Z8Z+xanvqUuiVPZZC:BZbj0Ni3qDo1Z8DvqUuiVPZg
MD5:	85CAC918CD3BC0344A3B58C84CE27446
SHA1:	BC88191383B44DE2E24819B1DDCC11959E0172FF
SHA-256:	B7503521978F97E4D5766114F7C35D85C74559CEFD710F9A746270DB04C2BEB1
SHA-512:	F4D38175F32B95070C3158215922780DB10B6FCE40C733F9EA707B3C3042D3B0F26D1E19C1D217B34C8E9E578F5BA263444CD37424198518E03D1085027B075E
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210618153044..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 134349 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noLogo -ExecutionPolicy unrestricted -file C:\Users\user\Desktop\ADRecon-KPMG.ps1..Process ID: 6832..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210618153301..********************..PS>TerminatingError(Import-Module): "The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: The specified module 'ActiveDirectory' was not loaded because no valid mo

Static File Info

General
File type:	UTF-8 Unicode (with BOM) text, with very long lines
Entropy (8bit):	5.256591239440088
TrID:	Text - UTF-8 encoded (3003/1) 100.00%
File name:	ADRecon-KPMG.ps1
File size:	626599
MD5:	6008e6c3deaa08fb420d5efd469590c6
SHA1:	1c55b3e2c62932213a57ffb8a223fb2a52b4d170
SHA256:	ac00dd7d54764e0389de434f3203c2a3384d2ffcc20615f40f09c4c0646c8d3f
SHA512:	774d837ffbc8f883e1b5a8b03a1da2cff24e585356bd93f5a48e64bd47bba02bebfa1fe23d0b21db973a33c7bb83a72ed82a178824bba766e2c2a22e03aa37fd
SSDEEP:	12288:pRbDbhJGYDb/XwXMX9ycFb7b4JHzARyvQ1svRO9y9f:pRbDbhJGYDb/XwXMX9ycFb7b4JTsyvQm
File Content Preview:	...<#...SYNOPSIS.. ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment....DESCRIPTION.. ADRecon is a tool which extracts

File Icon


Icon Hash:	72f2d6fef6f6dae4

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: powershell.exe PID: 6832 Parent PID: 5848

General

Start time:	15:30:41
Start date:	18/06/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -noLogo -ExecutionPolicy unrestricted -file 'C:\Users\user\Desktop\ADRecon-KPMG.ps1'
Imagebase:	0x7ff7bedd0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6848 Parent PID: 6832

General

Start time:	15:30:42
Start date:	18/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: csc.exe PID: 7120 Parent PID: 6832

General

Start time:	15:30:47
Start date:	18/06/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tfu5mvir\tfu5mvir.cmdline'
Imagebase:	0x7ff743170000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: cvtres.exe PID: 4116 Parent PID: 7120

General

Start time:	15:30:48
Start date:	18/06/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES7143.tmp' 'c:\Users\user\AppData\Local\Temp\tfu5mvir\CSCED38EAF0BA2B44A19E4014561C643C3.TMP'
Imagebase:	0x7ff6154c0000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: csc.exe PID: 2928 Parent PID: 6832

General

Start time:	15:30:51
Start date:	18/06/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\22kuy4qb\22kuy4qb.cmdline'
Imagebase:	0x7ff743170000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: cvtres.exe PID: 6228 Parent PID: 2928

General

Start time:	15:30:52
Start date:	18/06/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8066.tmp' 'c:\Users\user\AppData\Local\Temp\22kuy4qb\CSC73C42A17711C4AAFA64E46FCC8D6B36.TMP'
Imagebase:	0x7ff6154c0000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: csc.exe PID: 6492 Parent PID: 6832

General

Start time:	15:30:55
Start date:	18/06/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\2hftzesj\2hftzesj.cmdline'
Imagebase:	0x7ff743170000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: cvtres.exe PID: 6452 Parent PID: 6492

General

Start time:	15:30:56
Start date:	18/06/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9074.tmp' 'c:\Users\user\AppData\Local\Temp\2hftzesj\CSC11820CB0636E4CAF90F043817D702019.TMP'
Imagebase:	0x7ff6154c0000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: csc.exe PID: 5716 Parent PID: 6832

General

Start time:	15:31:02
Start date:	18/06/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hmzbf4ad\hmzbf4ad.cmdline'
Imagebase:	0x7ff743170000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: cvtres.exe PID: 5688 Parent PID: 5716

General

Start time:	15:31:03
Start date:	18/06/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESABDB.tmp' 'c:\Users\user\AppData\Local\Temp\hmzbf4ad\CSCE214703DB10E47A0BDD59CF4E3CD48D.TMP'
Imagebase:	0x7ff6154c0000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: powershell.exe PID: 6832 Parent PID: 5848 powershell.exeCOMMON

Executed Functions

Function 00007FFA35A872BC, Relevance: 2.9, Strings: 2, Instructions: 430COMMON

Download Yara Rule

Strings

8s5, xrefs: 00007FFA35A87456
9b_H, xrefs: 00007FFA35A87460

Memory Dump Source

Source File: 00000000.00000002.707817531.00007FFA35A80000.00000040.00000001.sdmp, Offset: 00007FFA35A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35a80000_powershell.jbxd

Similarity

API ID:
String ID: 8s5$9b_H
API String ID: 0-2886319865
Opcode ID: e9ea03149ae13db049e71ec3e02b7f97bd45c8cf1b668b6343a9f64502e5b654
Instruction ID: 59c05e3650c805e7cf5d706ccbb29d9c4103bbd353f8f66a88a605c11ff374bd
Opcode Fuzzy Hash: e9ea03149ae13db049e71ec3e02b7f97bd45c8cf1b668b6343a9f64502e5b654
Instruction Fuzzy Hash: 26D1D430E18A4A8FDB98DF1CC489AA97BE1FF69311F148179D44DD7256DE36E842CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35A84655, Relevance: .7, Instructions: 707COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.707817531.00007FFA35A80000.00000040.00000001.sdmp, Offset: 00007FFA35A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35a80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5def5bb9124fe7f5e74b378696011ff99c314a9aa840f4691701be5e8023cefb
Instruction ID: 64de4a201f492267c67c8654c25757465491025e82f5c7c7e090e0d012a562f3
Opcode Fuzzy Hash: 5def5bb9124fe7f5e74b378696011ff99c314a9aa840f4691701be5e8023cefb
Instruction Fuzzy Hash: C8222862E1CB868FEB58DB1C98096A87FE1FF96714F5481B6D00CC728ADD25AC4697C0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35A80FD9, Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.707817531.00007FFA35A80000.00000040.00000001.sdmp, Offset: 00007FFA35A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35a80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2386895bf26d64169ffbd304d560c5f118da217da3c6c3222e85790e7d2d3aae
Instruction ID: e5980422e4b4fcc101e28dee598e8ecd8d82c0aa9b98c7911909ffb8798d13bd
Opcode Fuzzy Hash: 2386895bf26d64169ffbd304d560c5f118da217da3c6c3222e85790e7d2d3aae
Instruction Fuzzy Hash: 6C51083191CA8A4FD318DB1CD859AA6BBF1FFC6310F0486BBE04DC7192CE29A945D781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35A869F8, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.707817531.00007FFA35A80000.00000040.00000001.sdmp, Offset: 00007FFA35A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35a80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f7e5d640398adda19f7020c3d8c15d0054bab79bcde4febadb90630bac8cfc3
Instruction ID: 833918a8b17bc471b98275d6707a9b95032d49c6f12356337903a2d136a76cc6
Opcode Fuzzy Hash: 3f7e5d640398adda19f7020c3d8c15d0054bab79bcde4febadb90630bac8cfc3
Instruction Fuzzy Hash: 9E31C83091CB4C4FDB1C9B5C9C0A6A9BBE0EB99721F04826FE449D3252DB75A8558BC2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35A86D98, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.707817531.00007FFA35A80000.00000040.00000001.sdmp, Offset: 00007FFA35A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35a80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e3747894b4f72c1a6c9c99c612966f291c09a74f98758a2cc4d7b5cf1ba3426
Instruction ID: 30e7e0a28d8581a995ab032de3f16d675b8759aa2366ec508278137a19a1fdc1
Opcode Fuzzy Hash: 8e3747894b4f72c1a6c9c99c612966f291c09a74f98758a2cc4d7b5cf1ba3426
Instruction Fuzzy Hash: 5A21063090CA4C4FEB59DFAC884A7E97BE0EBA6331F04826BD04DC7152DA75A406CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35A84497, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.707817531.00007FFA35A80000.00000040.00000001.sdmp, Offset: 00007FFA35A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35a80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ff24e6f2d286b56939eddbb22c5021be72d8a42e42b64b5aa8cc53164aaee34
Instruction ID: a95a7d2bf389f0c1bcbd565c40faf055e9ad4aed317cab7f4296be58902579eb
Opcode Fuzzy Hash: 5ff24e6f2d286b56939eddbb22c5021be72d8a42e42b64b5aa8cc53164aaee34
Instruction Fuzzy Hash: 63F0A932B2CB068FDB5C9A0CE84257573D1EB95325F10407EE18EC7297ED2BE8429641

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35A832E5, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.707817531.00007FFA35A80000.00000040.00000001.sdmp, Offset: 00007FFA35A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35a80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41a3e58392e0c92bdc11ff23c788dfa358aa500590e4c1a104f6ac3825cb99bb
Instruction ID: ea624cab7fa94e02e09879826f52c4c1649e2b8e208e845b00998dcbacd20952
Opcode Fuzzy Hash: 41a3e58392e0c92bdc11ff23c788dfa358aa500590e4c1a104f6ac3825cb99bb
Instruction Fuzzy Hash: D601447115CB084FD758EF0CE451AA6B7E0FB95324F10056EE58AC3695DA26E882CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35A82F62, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.707817531.00007FFA35A80000.00000040.00000001.sdmp, Offset: 00007FFA35A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35a80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c12d57b417f64f7d3bcc303dd3aaf09bcf9cb12402b40eb8e3e5b53b1009e571
Instruction ID: efda99324029fc6e8966263573dec310b06d1ef0c274c2d4a45c1ef6c052d0c8
Opcode Fuzzy Hash: c12d57b417f64f7d3bcc303dd3aaf09bcf9cb12402b40eb8e3e5b53b1009e571
Instruction Fuzzy Hash: 13F08C3235CA080BE70C6A1CB8524F973C1CBD5760B10817FE40AC6297DC16A88342C6

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35B50262, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.708360365.00007FFA35B50000.00000040.00000001.sdmp, Offset: 00007FFA35B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb1f072713d62d3dee3ef87566d2766e2c7af11895490dda05053712e75ebcc5
Instruction ID: 301de1f67d8cd4e767386ed465bea2ccb910f53932bd1c81d346c08653427431
Opcode Fuzzy Hash: cb1f072713d62d3dee3ef87566d2766e2c7af11895490dda05053712e75ebcc5
Instruction Fuzzy Hash: 44F0B42170DB4A4FEB88CE1CE891660B792FBB972031406AEC44DCB29BC926DC41C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35A86BD8, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.707817531.00007FFA35A80000.00000040.00000001.sdmp, Offset: 00007FFA35A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35a80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8be96d76bb91dd8d248875e8f24bee88ddcd6808e4bffc98ac694a2c0b180b43
Instruction ID: 14e8a891876c6d448a671790e864f53c375fa0d689d1cc05a3b659bd4cae3738
Opcode Fuzzy Hash: 8be96d76bb91dd8d248875e8f24bee88ddcd6808e4bffc98ac694a2c0b180b43
Instruction Fuzzy Hash: 55F0243084C68D8FDB0A9F2888195E57FA0FF27310B080297E45CC70A2DB659858CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35A844B4, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.707817531.00007FFA35A80000.00000040.00000001.sdmp, Offset: 00007FFA35A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35a80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35dc378f4e3e2d4189dd2a26044574b273109e8f6cbde0a3c32985092bb7be6b
Instruction ID: bc38856ad9d0ed8f651d41d5204e1a757ec796ceb4feb39fa5c6179bcfed51bd
Opcode Fuzzy Hash: 35dc378f4e3e2d4189dd2a26044574b273109e8f6cbde0a3c32985092bb7be6b
Instruction Fuzzy Hash: C3F0303275C6044FDB5CAA1CF8429B573D1E799324B00016EE48BC2696D927E8438685

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35B55FA7, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.708360365.00007FFA35B50000.00000040.00000001.sdmp, Offset: 00007FFA35B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 522280d08b5a7c77786004c6431f2cdcf5f8a57ea1d9a41176003751867f54ca
Instruction ID: e1a0016c480a727b1eac49e5c7c41fc780756e63dd17488f19fce3fbcd631e25
Opcode Fuzzy Hash: 522280d08b5a7c77786004c6431f2cdcf5f8a57ea1d9a41176003751867f54ca
Instruction Fuzzy Hash: 19F0B432A0DB8A8FE756E768A8510E8BFF0EF57360B1850F7D18DC7193D91A58468711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35B52619, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.708360365.00007FFA35B50000.00000040.00000001.sdmp, Offset: 00007FFA35B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee0ec976285f4d70e33a902c82d6c583dfb7f77f567d1973868523c80493da86
Instruction ID: 54939d30e092c82a3865bcb4cda89ec764820d0afffa1fff5632534ae261f000
Opcode Fuzzy Hash: ee0ec976285f4d70e33a902c82d6c583dfb7f77f567d1973868523c80493da86
Instruction Fuzzy Hash: DDF09025A0D68A4FEB92AB6888551F8BBE1EF57350B1480FAC04CD7193DD2A5C59C712

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35B55446, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.708360365.00007FFA35B50000.00000040.00000001.sdmp, Offset: 00007FFA35B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8985ab09864129143baa6d0b5f6c9732709c48058d275c3340034e316ceeb3e7
Instruction ID: b04e1aea6fad1cf7930abdfc978055276f9f5512e4a91f6e03a2c2460492161c
Opcode Fuzzy Hash: 8985ab09864129143baa6d0b5f6c9732709c48058d275c3340034e316ceeb3e7
Instruction Fuzzy Hash: BEE02623E0CD2E0EE2B9A35CBC052F492C0EB4AA23B0881B3D90CD31C6FC06AC1002C2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFA35A80CD0, Relevance: .4, Instructions: 374COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.707817531.00007FFA35A80000.00000040.00000001.sdmp, Offset: 00007FFA35A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35a80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2047b3f61c859e33b6188f09a886191be6bd29ac681c64cd81de0fd27fbdd73e
Instruction ID: b2a2d41dcc5c5b24d659a1dd80682d4e4f731388198a8efb159f53e5d74ee587
Opcode Fuzzy Hash: 2047b3f61c859e33b6188f09a886191be6bd29ac681c64cd81de0fd27fbdd73e
Instruction Fuzzy Hash: 50B10531E2CA8B4FD36CDB5C94855B1BBD0EF46710B1485BEC48EC7682EE26B8429780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35A80D30, Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.707817531.00007FFA35A80000.00000040.00000001.sdmp, Offset: 00007FFA35A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35a80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 382a946a4d190ad3d77b15683ad1e9bb1b9ff6bdb61263dcdea075c86050beba
Instruction ID: 5a70680fbf920b0a23d189795d8992c0822abfc37961d04702e5367d89168dea
Opcode Fuzzy Hash: 382a946a4d190ad3d77b15683ad1e9bb1b9ff6bdb61263dcdea075c86050beba
Instruction Fuzzy Hash: E8514932E1CA5A4FE72C9B2CA4855B67BD0EF87730B04817FC58EC7196DD2978459380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35A820C8, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.707817531.00007FFA35A80000.00000040.00000001.sdmp, Offset: 00007FFA35A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35a80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc3d226518ce672d9fb0c54de574428a2387142e4e9e554a1ee76bef61eb14d2
Instruction ID: 47427c37a0648ae42b280c256c4d01604b832460eb023c51cf9dcf11941c10f3
Opcode Fuzzy Hash: fc3d226518ce672d9fb0c54de574428a2387142e4e9e554a1ee76bef61eb14d2
Instruction Fuzzy Hash: B8414F46C1D2D31EE71A637CA8660E53F608F03778F1984B3D28D898E3FD0D68999266

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35B50FD1, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.708360365.00007FFA35B50000.00000040.00000001.sdmp, Offset: 00007FFA35B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8608345738d75149ead69d2306663b6b758beecd6dd11c987ddd176a40e2d673
Instruction ID: 94fcfd8b4637b422a376db27072b50b733b8f629596f7de832f556d76df7b2f0
Opcode Fuzzy Hash: 8608345738d75149ead69d2306663b6b758beecd6dd11c987ddd176a40e2d673
Instruction Fuzzy Hash: 2C118C5290EBC28FE3575B7888260B0BFB0AF1351070E45EBC0D88B5A3E90E0D49D7A3

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report ADRecon-KPMG.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: powershell.exe PID: 6832 Parent PID: 5848

General

Analysis Process: conhost.exe PID: 6848 Parent PID: 6832

General

Analysis Process: csc.exe PID: 7120 Parent PID: 6832

General

Analysis Process: cvtres.exe PID: 4116 Parent PID: 7120

General

Analysis Process: csc.exe PID: 2928 Parent PID: 6832

General

Analysis Process: cvtres.exe PID: 6228 Parent PID: 2928

General