Joe Sandbox Cloud Pro Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Invoke-noPac.ps1

Overview

General Information

Sample Name:Invoke-noPac.ps1
Analysis ID:1730306
MD5:468704b3c87e636b9b8c360f5623f729
SHA1:62fc35b64b5034064d75001288b9b1911ea28635
SHA256:4e37819484e865f8e20c2aaa94ec05f3bfe3bb6f36ea4bb6df376c8d4f1ffcca
Infos:

Detection

noPac
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Sigma detected: Suspicious Computer Account Name Change CVE-2021-42287
Yara detected noPac
Sigma detected: Suspicious Outbound Kerberos Connection
Yara signature match
Sigma detected: Suspicious Remote Logon with Explicit Credentials
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Contains long sleeps (>= 3 min)

Classification

Process Tree

  • System is w10x64_21h1_office_active_directory
  • powershell.exe (PID: 5580 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\Invoke-noPac.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 5700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: D837FA4DEE7D84C19FF6F71FC48A6625)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Invoke-noPac.ps1JoeSecurity_noPacYara detected noPacJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.16751180655.000002049FE90000.00000004.08000000.00040000.00000000.sdmpINDICATOR_TOOL_PWS_RubeusDetects Rubeus kerberos defensive/offensive toolsetditekSHen
    • 0x559f9:$s1: (&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))
    • 0x5661d:$s2: (!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))
    • 0x55ff5:$s3: rc4opsec
    • 0x4ee2c:$s4: pwdlastset
    • 0x4fddc:$s4: pwdlastset
    • 0x56986:$s4: pwdlastset
    • 0x569a4:$s4: pwdlastset
    • 0x475e1:$s5: LsaEnumerateLogonSessions
    • 0x4493d:$s6: extractKerberoastHash
    • 0x46f66:$s7: ComputeAllKerberosPasswordHashes
    • 0x456c5:$s8: kerberoastDomain
    • 0x405c1:$s9: GetUsernamePasswordTGT
    00000000.00000003.16112649314.00000204B7F53000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_noPacYara detected noPacJoe Security
      00000000.00000002.16821259889.00000204AFF97000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_noPacYara detected noPacJoe Security

        Sigma Overview

        System Summary

        barindex
        Sigma detected: Suspicious Computer Account Name Change CVE-2021-42287
        Source: Event LogsAuthor: Florian Roth: Data: EventID: 4781, NewTargetUserName: dc-01, OldTargetUserName: dcadmin1$, PrivilegeList: -, Source: Microsoft-Windows-Security-Auditing, SubjectDomainName: AD01, SubjectLogonId: 0x16b8f4, SubjectUserName: user, SubjectUserSid: S-1-5-21-3384971621-2488082584-654606338-1105, TargetDomainName: AD01, TargetSid: S-1-5-21-3384971621-2488082584-654606338-1106, data0: dcadmin1$, data1: dc-01, data2: AD01, data3: S-1-5-21-3384971621-2488082584-654606338-1106, data4: S-1-5-21-3384971621-2488082584-654606338-1105, data5: user, data6: AD01, data7: 0x16b8f4, data8: -
        Sigma detected: Suspicious Outbound Kerberos Connection
        Source: Network ConnectionAuthor: Ilyas Ochkov, oscd.community: Data: DestinationIp: 192.168.1.200, DestinationIsIpv6: false, DestinationPort: 88, EventID: 3, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, Initiated: true, ProcessId: 5580, Protocol: tcp, SourceIp: 192.168.1.201, SourceIsIpv6: false, SourcePort: 62723
        Source: Event LogsAuthor: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st: Data: EventID: 4648, IpAddress: -, IpPort: -, LogonGuid: {00000000-0000-0000-0000-000000000000}, ProcessId: 0x15cc, ProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, Source: Microsoft-Windows-Security-Auditing, SubjectDomainName: AD01, SubjectLogonId: 0x5bfb9, SubjectUserName: user, SubjectUserSid: S-1-5-21-3384971621-2488082584-654606338-1105, TargetDomainName: AD01.LOCAL, TargetInfo: ldap/DC-01.ad01.local, TargetLogonGuid: {0d7257f6-ead0-9c49-99fe-cda91a935390}, TargetServerName: DC-01.ad01.local, TargetUserName: user, data0: S-1-5-21-3384971621-2488082584-654606338-1105, data1: user, data10: 0x15cc, data11: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, data12: -, data13: -, data2: AD01, data3: 0x5bfb9, data4: {00000000-0000-0000-0000-000000000000}, data5: user, data6: AD01.LOCAL, data7: {0d7257f6-ead0-9c49-99fe-cda91a935390}, data8: DC-01.ad01.local, data9: ldap/DC-01.ad01.local
        Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132881894112152451.5580.DefaultAppDomain.powershell

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        Exploits

        barindex
        Yara detected noPac
        Source: Yara matchFile source: Invoke-noPac.ps1, type: SAMPLE
        Source: Yara matchFile source: 00000000.00000003.16112649314.00000204B7F53000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.16821259889.00000204AFF97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: unknownDNS traffic detected: query: 254.141.248.8.in-addr.arpa replaycode: Name error (3)
        Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
        Source: unknownDNS traffic detected: query: 251.0.0.224.in-addr.arpa replaycode: Name error (3)
        Source: unknownDNS traffic detected: queries for: 252.0.0.224.in-addr.arpa
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 00000000.00000002.16751180655.000002049FE90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Rubeus kerberos defensive/offensive toolset Author: ditekSHen
        Source: 00000000.00000002.16751180655.000002049FE90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_TOOL_PWS_Rubeus author = ditekSHen, description = Detects Rubeus kerberos defensive/offensive toolset
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ty12fgxh.xxn.ps1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\26a845b249aefca961715129e3e55539\mscorlib.ni.dllJump to behavior
        Source: classification engineClassification label: mal60.expl.winPS1@2/8@3/1
        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\Invoke-noPac.ps1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220201Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management InstrumentationPath Interception1
        Process Injection        		1
        Masquerading        		OS Credential Dumping11
        Virtualization/Sandbox Evasion        		Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
        Non-Application Layer Protocol        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts11
        Virtualization/Sandbox Evasion        		LSASS Memory1
        File and Directory Discovery        		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
        Application Layer Protocol        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
        Process Injection        		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        No Antivirus matches

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        252.0.0.224.in-addr.arpa
        		unknown
        		unknownfalse
          		unknown
          251.0.0.224.in-addr.arpa
          		unknown
          		unknownfalse
            		unknown
            254.141.248.8.in-addr.arpa
            		unknown
            		unknownfalse
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious

              Private

              IP
              192.168.1.200

              General Information

              Joe Sandbox Version:34.0.0 Boulder Opal
              Analysis ID:1730306
              Start date:01.02.2022
              Start time:11:40:41
              Joe Sandbox Product:Cloud
              Overall analysis duration:0h 8m 17s
              Hypervisor based Inspection enabled:false
              Report type:full
              Sample file name:Invoke-noPac.ps1
              Cookbook file name:default.jbs
              Analysis system description:Windows 10x64 v21H1 joined to AD domain (Office 2019, IE11, Chrome 97, Java 8 Update 321, Adobe Reader DC 21.011, Python 3)
              Number of analysed new started processes analysed:4
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal60.expl.winPS1@2/8@3/1
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found application associated with file extension: .ps1

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 13.87.187.111, 20.199.120.182, 8.248.141.254, 8.248.135.254, 67.26.81.254, 8.253.95.249, 8.248.117.254
              • Excluded domains from analysis (whitelisted): 103.1.168.192.in-addr.arpa, client.wns.windows.com, 102.1.168.192.in-addr.arpa, fg.download.windowsupdate.com.c.footprint.net, 928100.ad01.local, _ldap._tcp.dc-01.ad01.local, wu-shim.trafficmanager.net, ctldl.windowsupdate.com, b.f.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa, wdcp.microsoft.com, wd-prod-cp.trafficmanager.net, 109.1.168.192.in-addr.arpa, wdcpalt.microsoft.com, wns.notify.trafficmanager.net, wpad.ad01.local, 3.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa, wd-prod-cp-us-west-1-fe.westus.cloudapp.azure.com, 107.1.168.192.in-addr.arpa, 105.1.168.192.in-addr.arpa, f.4.f.0.c.f.d.2.f.c.0.e.e.c.9.2.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa, nexusrules.officeapps.live.com, _ldap._tcp.Default-First-Site-Name._sites.dc-01.ad01.local
              • Not all processes where analyzed, report is missing behavior information

              Signature Similarity

              Sample Distance (10 = nearest)
              10 9 8 7 6 5 4 3 2 1

              Similar Samples

              SamplenameAnalysis IDSHA256Similarity

              Simulations

              Behavior and APIs

              TimeTypeDescription
              11:43:40API Interceptor23x Sleep call for process: powershell.exe modified

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:data
              Category:dropped
              Size (bytes):43873
              Entropy (8bit):5.062295222575959
              Encrypted:false
              SSDEEP:768:vBfHWrxAfrRJPFY1UphNefsopbjoRjdvRgv6Cw4c/SvkDwKuYga5UoUv6h4iUxLe:vBfWrxAflJdY1UphNefsibjoRjdvRgvW
              MD5:721BF60FA4A785EFCF15FABAA2119FB2
              SHA1:EDFEE110B1625ACEE49BCD24EAC3B6018B2C16F8
              SHA-256:7DE07F19A757CBB4815DC5588ECFCDB56C0C5C29ADB2ED03904EE7B68F10C9FF
              SHA-512:3187D90D37AF680128528AE7A58B8CE1AF036ED9DB500B1F9739713399BDDC1E038DE9BF90B29E03A9174B86E0A8E8A1F00E6464443029586DCE4B536D2BDFCB
              Malicious:false
              Reputation:low
              Preview:PSMODULECACHE.?....j"?.z..?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PKI\PKI.psd1........Export-Certificate........Get-CertificateNotificationTask........Get-PfxData........New-CertificateNotificationTask........Import-PfxCertificate....#...Set-CertificateAutoEnrollmentPolicy........Export-PfxCertificate........New-SelfSignedCertificate........Switch-Certificate....%...Get-CertificateEnrollmentPolicyServer....%...Add-CertificateEnrollmentPolicyServer....(...Remove-CertificateEnrollmentPolicyServer........Import-Certificate........Test-Certificate........Get-Certificate...."...Remove-CertificateNotificationTask....#...Get-CertificateAutoEnrollmentPolicy.........1...z..N...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module........Find-Command........Unregister-PSRepository........Get-InstalledScript........Get-DynamicOption

              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:data
              Category:modified
              Size (bytes):1360
              Entropy (8bit):5.33338808364183
              Encrypted:false
              SSDEEP:24:3pIwEVSIBo4KjpNs4RPTLiqemFoUe7omjKcm9qr9t7J0gt/NKY+r8Hc56ofW6G:6wWSL4D4R3iqemFoUeMmfm9qr9tK8Njp
              MD5:7F06805857E22B37B09600AF51E033D0
              SHA1:F946D8A75739F530D675873B3217C5D69C8A7E7F
              SHA-256:37CB72BC08F280C1DA4B229F312E05B9429B7303CA254A4B5C023E2E534C6797
              SHA-512:D973ABFB2B18C550AFA395B4F1F9643941F2BF3FAAF948C39E5942037CA5629D373DBCA2B2402605A4CB7ED46592F6635B22D2F705913E6CB784DE9B1294C43A
              Malicious:false
              Reputation:low
              Preview:@...e...........5...................(...1............@..........L...............Ab...9M.W.$l...5.....".System.DirectoryServices.Protocols..H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0..................)W_tD...B..T.........System..4................Vb..3tM..[G..'.........System.Core.D...............{0..XH.H......1.........System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@...............8Ak....G.......j........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4...............F;7..C..f.G..........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Command

              C:\Users\user\AppData\Local\Microsoft\Windows\SchCache\dc-01.ad01.local.sch

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:Little-endian UTF-16 Unicode text, with very long lines
              Category:dropped
              Size (bytes):602756
              Entropy (8bit):3.6851002738970062
              Encrypted:false
              SSDEEP:6144:/BaTzpYXkFdejne6sxh7WtFS4QWuntn3Dh:i
              MD5:11009AFE0DB7D8D83BB4197BF61581BD
              SHA1:13624E392010BDB71F9B47FCAB8B8E82C4A7C74D
              SHA-256:16C8A95A2957EEF56629FAB34BF2EC6F0DBB5DE541325F5EF65F93751601304F
              SHA-512:5B5F5D5DC5F2E994606ABFBE3D91D672FFEA695FEEDFF40E8A600E3AA89205FFB1A1E65D8191B3279D057DBE5AAAD07F0A7EEE6FB808BA20A324B2E626211CD9
              Malicious:false
              Reputation:low
              Preview:..[.a.t.t.r.i.b.u.t.e.T.y.p.e.s.]...(. .1...2...8.4.0...1.1.3.5.5.6...1...4...1.4.9. .N.A.M.E. .'.a.t.t.r.i.b.u.t.e.S.e.c.u.r.i.t.y.G.U.I.D.'. .S.Y.N.T.A.X. .'.1...3...6...1...4...1...1.4.6.6...1.1.5...1.2.1...1...4.0.'. .S.I.N.G.L.E.-.V.A.L.U.E. .)...(. .1...2...8.4.0...1.1.3.5.5.6...1...4...1.7.0.3. .N.A.M.E. .'.m.s.D.S.-.F.i.l.t.e.r.C.o.n.t.a.i.n.e.r.s.'. .S.Y.N.T.A.X. .'.1...3...6...1...4...1...1.4.6.6...1.1.5...1.2.1...1...1.5.'. .)...(. .1...2...8.4.0...1.1.3.5.5.6...1...4...6.5.5. .N.A.M.E. .'.l.e.g.a.c.y.E.x.c.h.a.n.g.e.D.N.'. .S.Y.N.T.A.X. .'.1...2...8.4.0...1.1.3.5.5.6...1...4...9.0.5.'. .S.I.N.G.L.E.-.V.A.L.U.E. .)...(. .1...2...8.4.0...1.1.3.5.5.6...1...4...2.1. .N.A.M.E. .'.c.O.M.P.r.o.g.I.D.'. .S.Y.N.T.A.X. .'.1...3...6...1...4...1...1.4.6.6...1.1.5...1.2.1...1...1.5.'. .)...(. .1...2...8.4.0...1.1.3.5.5.6...1...4...2.1.4.7. .N.A.M.E. .'.m.s.D.N.S.-.P.r.o.p.a.g.a.t.i.o.n.T.i.m.e.'. .S.Y.N.T.A.X. .'.1...3...6...1...4...1...1.4.6.6...1.1.5...1.2.1...1...2.7.'. .S.I.N.G.L.E.

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_seghhcun.0wi.psm1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ty12fgxh.xxn.ps1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms. (copy)

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:data
              Category:dropped
              Size (bytes):6221
              Entropy (8bit):3.694519148049471
              Encrypted:false
              SSDEEP:96:iAYDCP5FXCAWB3y8ukvhkvCCtnSuSdkwM5BHhfdkwM5BHhQ:ii5FvWBn6zwM5SwM5I
              MD5:F1778FF9415C3D60446D23A94C290809
              SHA1:593D5297D3725270A6FD115FC6CE854C41CA1489
              SHA-256:DAF3C3EF908D9DD7C06AF5D9B720F2CAEAADF546C6CD3AE724C770015A1F7B4E
              SHA-512:BD37981080E45709015FAFED3D7930D87AB9A41712D59D59C636A366AFBE997E18B0A21B4B687C73F81FC00502B1DD7E616F374372BC5506CCFB477BB32350B3
              Malicious:false
              Reputation:low
              Preview:...................................FL..................F.".. .....4.......^.`...z.:{.............................:..DG..Yr?.D..U..k0.&...&................A.........`.......t...CFSF..1.....?T....AppData...t.Y^...H.g.3..(.....gVA.G..k...@......?T..ATZ]...........................+..A.p.p.D.a.t.a...B.V.1.....?T...Roaming.@......?T..ATZ]............................0.R.o.a.m.i.n.g.....\.1.....?TV...MICROS~1..D......?T..ATZ]..........................A?..M.i.c.r.o.s.o.f.t.....V.1.....AT....Windows.@......?T..AT[]...........................Uc.W.i.n.d.o.w.s.......1.....?T....STARTM~1..n......?T..AT[]....................D......;k.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....?T....Programs..j......?T..AT[]....................@.......e.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......?T..?T............................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......?T..ATq]................

              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\78KEVS69JBGVUHT5SCEH.temp

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:data
              Category:dropped
              Size (bytes):6221
              Entropy (8bit):3.694519148049471
              Encrypted:false
              SSDEEP:96:iAYDCP5FXCAWB3y8ukvhkvCCtnSuSdkwM5BHhfdkwM5BHhQ:ii5FvWBn6zwM5SwM5I
              MD5:F1778FF9415C3D60446D23A94C290809
              SHA1:593D5297D3725270A6FD115FC6CE854C41CA1489
              SHA-256:DAF3C3EF908D9DD7C06AF5D9B720F2CAEAADF546C6CD3AE724C770015A1F7B4E
              SHA-512:BD37981080E45709015FAFED3D7930D87AB9A41712D59D59C636A366AFBE997E18B0A21B4B687C73F81FC00502B1DD7E616F374372BC5506CCFB477BB32350B3
              Malicious:false
              Reputation:low
              Preview:...................................FL..................F.".. .....4.......^.`...z.:{.............................:..DG..Yr?.D..U..k0.&...&................A.........`.......t...CFSF..1.....?T....AppData...t.Y^...H.g.3..(.....gVA.G..k...@......?T..ATZ]...........................+..A.p.p.D.a.t.a...B.V.1.....?T...Roaming.@......?T..ATZ]............................0.R.o.a.m.i.n.g.....\.1.....?TV...MICROS~1..D......?T..ATZ]..........................A?..M.i.c.r.o.s.o.f.t.....V.1.....AT....Windows.@......?T..AT[]...........................Uc.W.i.n.d.o.w.s.......1.....?T....STARTM~1..n......?T..AT[]....................D......;k.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....?T....Programs..j......?T..AT[]....................@.......e.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......?T..?T............................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......?T..ATq]................

              C:\Users\user\Documents\20220201\PowerShell_transcript.928100.jOLdaWNd.20220201114335.txt

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
              Category:dropped
              Size (bytes):3677
              Entropy (8bit):6.0367578078889315
              Encrypted:false
              SSDEEP:96:BZ3xhjGNCHExo1Z+uvLcGQ134O5ACacU1/Z6XqhsV9Ih5rZX:DLQh55acU6ahX5l
              MD5:7967E4CB55064E684127FC89FE6AAC22
              SHA1:F6DC7397DCAE3CBBB7DE13F870D9AC301B9C1D3C
              SHA-256:238046B0C7B613C08D51300EE94646B38FC11E930408AC3A21CDD8144682C0E5
              SHA-512:A68D8CF3871AEC80641CED1F1073EC097D879F2F71C8FD570A8EDB011B170E5BBC68DFB2C4DFCB51F20403DEDF53B38C50147501DDA7A9499D3ECA1311694CE9
              Malicious:false
              Reputation:low
              Preview:.**********************..Windows PowerShell transcript start..Start time: 20220201114336..Username: AD01\user..RunAs User: AD01\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.19043.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noLogo -ExecutionPolicy unrestricted -file C:\Users\user\Desktop\Invoke-noPac.ps1..Process ID: 5580..PSVersion: 5.1.19041.1320..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.19041.1320..BuildVersion: 10.0.19041.1320..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220201114337..**********************..PS>CommandInvocation(Invoke-noPac.ps1): "Invoke-noPac.ps1"..[+] Domain: ad01.local..[+] User account: user..[+] Encryption type: RC4..[+] Distinguished Name = CN=dcadmin1,CN=Computers,DC=ad01,DC=local..[+] Machine account dcadmin1 added..[+]

              Static File Info

              General

              File type:ASCII text, with very long lines, with CRLF line terminators
              Entropy (8bit):6.011272384618114
              TrID:
                File name:Invoke-noPac.ps1
                File size:211840
                MD5:468704b3c87e636b9b8c360f5623f729
                SHA1:62fc35b64b5034064d75001288b9b1911ea28635
                SHA256:4e37819484e865f8e20c2aaa94ec05f3bfe3bb6f36ea4bb6df376c8d4f1ffcca
                SHA512:4bf7864cfe5b2450cae27d048f821cfba82403550fcfd461c4f5ebbcd05afbf9a013a34340b413989b9201dd5c3e87e77334e3f67895ebe8aca0c520c9af7f45
                SSDEEP:3072:QIiVPj2D590fxKCETjxyWIaVaXuTdRWsiUEvOWew3FX9aTtHieW5AblQkgj5RmnK:QIO2D590eyRawXuTh0eMX93ltly4
                File Content Preview:function Invoke-noPac..{.... [CmdletBinding()].. Param (.. [String].. $Command = " ".. ).. # gzip -c noPac.exe | base64 -w0 > noPac.txt.. $a=New-Object IO.MemoryStream(,[Convert]::FromBAsE64String("H4sIAAAAAAAAA9S9B3wcxfU4Pre7

                File Icon

                Icon Hash:72f2d6fef6f6dae4

                Network Behavior

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Feb 1, 2022 11:43:23.286159992 CET62691135192.168.1.201192.168.1.200
                Feb 1, 2022 11:43:23.292130947 CET13562691192.168.1.200192.168.1.201
                Feb 1, 2022 11:43:23.292166948 CET13562691192.168.1.200192.168.1.201
                Feb 1, 2022 11:43:23.292382002 CET62691135192.168.1.201192.168.1.200
                Feb 1, 2022 11:43:43.285917044 CET6270149667192.168.1.201192.168.1.200
                Feb 1, 2022 11:43:43.286165953 CET4966762701192.168.1.200192.168.1.201
                Feb 1, 2022 11:43:43.286314011 CET4966762701192.168.1.200192.168.1.201
                Feb 1, 2022 11:43:43.286438942 CET6270149667192.168.1.201192.168.1.200
                Feb 1, 2022 11:43:59.553690910 CET62722389192.168.1.201192.168.1.200
                Feb 1, 2022 11:43:59.561758041 CET38962722192.168.1.200192.168.1.201
                Feb 1, 2022 11:43:59.561949015 CET62722389192.168.1.201192.168.1.200
                Feb 1, 2022 11:43:59.722887993 CET62722389192.168.1.201192.168.1.200
                Feb 1, 2022 11:43:59.723568916 CET38962722192.168.1.200192.168.1.201
                Feb 1, 2022 11:43:59.728861094 CET62722389192.168.1.201192.168.1.200
                Feb 1, 2022 11:43:59.735474110 CET6272388192.168.1.201192.168.1.200
                Feb 1, 2022 11:43:59.736447096 CET8862723192.168.1.200192.168.1.201
                Feb 1, 2022 11:43:59.744762897 CET6272388192.168.1.201192.168.1.200
                Feb 1, 2022 11:43:59.745800018 CET6272388192.168.1.201192.168.1.200
                Feb 1, 2022 11:43:59.746787071 CET8862723192.168.1.200192.168.1.201
                Feb 1, 2022 11:43:59.747107983 CET6272388192.168.1.201192.168.1.200
                Feb 1, 2022 11:43:59.747272968 CET8862723192.168.1.200192.168.1.201
                Feb 1, 2022 11:43:59.747370958 CET8862723192.168.1.200192.168.1.201
                Feb 1, 2022 11:43:59.768305063 CET6272488192.168.1.201192.168.1.200
                Feb 1, 2022 11:43:59.768665075 CET8862724192.168.1.200192.168.1.201
                Feb 1, 2022 11:43:59.768950939 CET6272488192.168.1.201192.168.1.200
                Feb 1, 2022 11:43:59.769066095 CET6272488192.168.1.201192.168.1.200
                Feb 1, 2022 11:43:59.770452976 CET8862724192.168.1.200192.168.1.201
                Feb 1, 2022 11:43:59.770862103 CET6272488192.168.1.201192.168.1.200
                Feb 1, 2022 11:43:59.771004915 CET8862724192.168.1.200192.168.1.201
                Feb 1, 2022 11:43:59.771126986 CET8862724192.168.1.200192.168.1.201
                Feb 1, 2022 11:43:59.772367954 CET6272588192.168.1.201192.168.1.200
                Feb 1, 2022 11:43:59.772578955 CET8862725192.168.1.200192.168.1.201
                Feb 1, 2022 11:43:59.773046017 CET6272588192.168.1.201192.168.1.200
                Feb 1, 2022 11:43:59.773093939 CET6272588192.168.1.201192.168.1.200
                Feb 1, 2022 11:43:59.773240089 CET8862725192.168.1.200192.168.1.201
                Feb 1, 2022 11:43:59.774779081 CET8862725192.168.1.200192.168.1.201
                Feb 1, 2022 11:43:59.780801058 CET6272588192.168.1.201192.168.1.200
                Feb 1, 2022 11:43:59.781038046 CET8862725192.168.1.200192.168.1.201
                Feb 1, 2022 11:43:59.781152964 CET8862725192.168.1.200192.168.1.201
                Feb 1, 2022 11:43:59.848985910 CET62722389192.168.1.201192.168.1.200
                Feb 1, 2022 11:43:59.849196911 CET38962722192.168.1.200192.168.1.201
                Feb 1, 2022 11:43:59.850568056 CET38962722192.168.1.200192.168.1.201
                Feb 1, 2022 11:43:59.884143114 CET38962722192.168.1.200192.168.1.201
                Feb 1, 2022 11:43:59.884282112 CET62722389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:04.649558067 CET62722389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:04.673340082 CET38962722192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:04.773921967 CET38962722192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:04.808330059 CET38962722192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:04.808578968 CET62722389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:06.974596024 CET62722389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:06.975444078 CET62722389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:06.976730108 CET38962722192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:06.976977110 CET38962722192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.615756035 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.616413116 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.621007919 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.741796970 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.743999004 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.752160072 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.762471914 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.763567924 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.764426947 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.812269926 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.812926054 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.827871084 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.828336954 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.828906059 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.830271006 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.830467939 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.830593109 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.831763029 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.832586050 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.833903074 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.834393978 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.835061073 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.847117901 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.847517014 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.847676992 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.847846985 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.847964048 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.848144054 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.848843098 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.849100113 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.849252939 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.849500895 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.849626064 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.849811077 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.849931002 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.851711035 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.851887941 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.852854013 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.853271961 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.853503942 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.853729010 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.853955984 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.854080915 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.855082989 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.856462955 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.857713938 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.857888937 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.860650063 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.861171961 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.861321926 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.861537933 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.862185001 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.862417936 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.862461090 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.862627983 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.862627983 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.862763882 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.862881899 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.863002062 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.863152027 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.863275051 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.863403082 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.863529921 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.863676071 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.863795042 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.863960981 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.864082098 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.864114046 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.864237070 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.864301920 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:09.864490032 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:18.652791023 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:18.659372091 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:18.680980921 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:18.681921959 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:20.402918100 CET62726389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:20.403448105 CET38962726192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:22.660028934 CET62728389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:22.660345078 CET38962728192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:22.660599947 CET62728389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:22.664041042 CET62728389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:22.664617062 CET38962728192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:22.666135073 CET62728389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:22.667490005 CET38962728192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:22.668199062 CET62728389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:22.668653965 CET38962728192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:22.683998108 CET62728389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:22.687057972 CET38962728192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:22.687491894 CET62728389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:22.687700033 CET38962728192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:28.749234915 CET6274088192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:28.749525070 CET8862740192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:28.749855995 CET6274088192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:28.752336979 CET6274088192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:28.776544094 CET8862740192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:28.776649952 CET6274088192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:28.778820038 CET8862740192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:28.779350042 CET6274088192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:28.779602051 CET8862740192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:28.779727936 CET8862740192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:36.744256973 CET62741389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:36.744574070 CET38962741192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:36.744833946 CET62741389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:36.748274088 CET62741389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:36.748797894 CET38962741192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:36.749684095 CET62741389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:36.752315998 CET38962741192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:36.753261089 CET62741389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:36.753897905 CET38962741192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:36.767260075 CET62741389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:36.769752979 CET38962741192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:36.770791054 CET62741389192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:36.771070957 CET38962741192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:40.854106903 CET6274288192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:40.854569912 CET8862742192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:40.854732990 CET6274288192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:40.854934931 CET6274288192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:40.868436098 CET8862742192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:40.868616104 CET6274288192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:40.870723009 CET8862742192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:40.871069908 CET6274288192.168.1.201192.168.1.200
                Feb 1, 2022 11:44:40.871185064 CET8862742192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:40.871263981 CET8862742192.168.1.200192.168.1.201

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Feb 1, 2022 11:43:23.562066078 CET4952653192.168.1.2001.1.1.1
                Feb 1, 2022 11:43:23.577471018 CET53550991.1.1.1192.168.1.200
                Feb 1, 2022 11:43:23.579490900 CET53495261.1.1.1192.168.1.200
                Feb 1, 2022 11:43:24.399924994 CET137137192.168.1.200192.168.1.108
                Feb 1, 2022 11:43:25.945925951 CET137137192.168.1.200192.168.1.108
                Feb 1, 2022 11:43:48.355431080 CET53499651.1.1.1192.168.1.200
                Feb 1, 2022 11:43:48.357671976 CET137137192.168.1.200192.168.1.107
                Feb 1, 2022 11:43:48.359935999 CET137137192.168.1.107192.168.1.200
                Feb 1, 2022 11:43:48.360420942 CET535553318192.168.1.107192.168.1.200
                Feb 1, 2022 11:43:57.512604952 CET5358860192.168.1.200192.168.1.201
                Feb 1, 2022 11:43:58.026571989 CET4918253192.168.1.2001.1.1.1
                Feb 1, 2022 11:43:58.044071913 CET53491821.1.1.1192.168.1.200
                Feb 1, 2022 11:43:58.048924923 CET53506891.1.1.1192.168.1.200
                Feb 1, 2022 11:43:58.049098969 CET53502691.1.1.1192.168.1.200
                Feb 1, 2022 11:43:58.052498102 CET535558058192.168.1.201192.168.1.200
                Feb 1, 2022 11:43:59.507317066 CET5358687192.168.1.200192.168.1.201
                Feb 1, 2022 11:43:59.508996964 CET5349363192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:02.108531952 CET53548961.1.1.1192.168.1.200
                Feb 1, 2022 11:44:02.108839035 CET53654141.1.1.1192.168.1.200
                Feb 1, 2022 11:44:02.112487078 CET137137192.168.1.200192.168.1.109
                Feb 1, 2022 11:44:02.117116928 CET137137192.168.1.200192.168.1.102
                Feb 1, 2022 11:44:03.684499979 CET137137192.168.1.200192.168.1.102
                Feb 1, 2022 11:44:03.684536934 CET137137192.168.1.200192.168.1.109
                Feb 1, 2022 11:44:04.778887033 CET137137192.168.1.200192.168.1.255
                Feb 1, 2022 11:44:04.778893948 CET137137192.168.1.200192.168.1.255
                Feb 1, 2022 11:44:05.139161110 CET53500151.1.1.1192.168.1.200
                Feb 1, 2022 11:44:05.144342899 CET137137192.168.1.200192.168.1.105
                Feb 1, 2022 11:44:05.145418882 CET137137192.168.1.105192.168.1.200
                Feb 1, 2022 11:44:05.211410046 CET137137192.168.1.200192.168.1.109
                Feb 1, 2022 11:44:05.211543083 CET137137192.168.1.200192.168.1.102
                Feb 1, 2022 11:44:05.541835070 CET137137192.168.1.200192.168.1.255
                Feb 1, 2022 11:44:05.541840076 CET137137192.168.1.200192.168.1.255
                Feb 1, 2022 11:44:06.304716110 CET137137192.168.1.200192.168.1.255
                Feb 1, 2022 11:44:06.304770947 CET137137192.168.1.200192.168.1.255
                Feb 1, 2022 11:44:07.058146000 CET137137192.168.1.200192.168.1.255
                Feb 1, 2022 11:44:07.058165073 CET137137192.168.1.200192.168.1.255
                Feb 1, 2022 11:44:07.339049101 CET5362068192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.606844902 CET5353859192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:09.612562895 CET5362712192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:12.172116995 CET5505453192.168.1.2001.1.1.1
                Feb 1, 2022 11:44:12.284538031 CET53550541.1.1.1192.168.1.200
                Feb 1, 2022 11:44:12.699924946 CET5359357192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:15.234267950 CET53549661.1.1.1192.168.1.200
                Feb 1, 2022 11:44:15.243376017 CET137137192.168.1.200192.168.1.103
                Feb 1, 2022 11:44:16.748106003 CET137137192.168.1.200192.168.1.103
                Feb 1, 2022 11:44:16.748112917 CET137137192.168.1.200192.168.1.103
                Feb 1, 2022 11:44:18.276104927 CET137137192.168.1.200192.168.1.103
                Feb 1, 2022 11:44:18.276113033 CET137137192.168.1.200192.168.1.103
                Feb 1, 2022 11:44:20.553931952 CET5350922192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:22.611747026 CET5355089192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:22.629219055 CET5363209192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:34.668649912 CET5353965192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:36.716800928 CET5353186192.168.1.200192.168.1.201
                Feb 1, 2022 11:44:36.721396923 CET5349626192.168.1.200192.168.1.201

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                Feb 1, 2022 11:43:23.562066078 CET192.168.1.2001.1.1.10x31b9Standard query (0)252.0.0.224.in-addr.arpaPTR (Pointer record)IN (0x0001)
                Feb 1, 2022 11:43:58.026571989 CET192.168.1.2001.1.1.10x911aStandard query (0)251.0.0.224.in-addr.arpaPTR (Pointer record)IN (0x0001)
                Feb 1, 2022 11:44:12.172116995 CET192.168.1.2001.1.1.10x84a9Standard query (0)254.141.248.8.in-addr.arpaPTR (Pointer record)IN (0x0001)

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                Feb 1, 2022 11:43:23.579490900 CET1.1.1.1192.168.1.2000x31b9Name error (3)252.0.0.224.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                Feb 1, 2022 11:43:58.044071913 CET1.1.1.1192.168.1.2000x911aName error (3)251.0.0.224.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                Feb 1, 2022 11:44:12.284538031 CET1.1.1.1192.168.1.2000x84a9Name error (3)254.141.248.8.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:11:43:31
                Start date:01/02/2022
                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\Invoke-noPac.ps1
                Imagebase:0x7ff64f360000
                File size:452608 bytes
                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Yara matches:
                • Rule: INDICATOR_TOOL_PWS_Rubeus, Description: Detects Rubeus kerberos defensive/offensive toolset, Source: 00000000.00000002.16751180655.000002049FE90000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                • Rule: JoeSecurity_noPac, Description: Yara detected noPac, Source: 00000000.00000003.16112649314.00000204B7F53000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_noPac, Description: Yara detected noPac, Source: 00000000.00000002.16821259889.00000204AFF97000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                Reputation:moderate

                General

                Target ID:2
                Start time:11:43:31
                Start date:01/02/2022
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff790d20000
                File size:889344 bytes
                MD5 hash:D837FA4DEE7D84C19FF6F71FC48A6625
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:low

                Disassembly

                No disassembly