Edit tour

Windows Analysis Report
2stage.ps1

Overview

General Information

Sample name:	2stage.ps1
Analysis ID:	1557817
MD5:	f65ba6b3d6b6e287d7123fb8211ec264
SHA1:	6b89bd7576b9e9905d964242942fa2a40cf5456b
SHA256:	12d5ec77e4e5cd9fde641f95126e174e82eaa273e2efdd6da78bce56fc7ba244
Tags:	ps1rigzuvzi3bnz3-topuser-JAMESWT_MHT
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Suricata IDS alerts for network traffic

AI detected suspicious sample

Loading BitLocker PowerShell Module

Queries Google from non browser process on port 80

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

powershell.exe (PID: 6816 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2stage.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2stage.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2stage.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2stage.ps1", ProcessId: 6816, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2stage.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2stage.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2stage.ps1", ProcessId: 6816, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE TA582 CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T16:54:01.304373+0100	2856654	1	A Network Trojan was detected	192.168.2.4	49730	206.188.196.37	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 90.9% probability

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1934617561.000002D8A1E30000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.1937776158.000002D8A2226000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.1935896996.000002D8A20C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1935896996.000002D8A20C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb%{" source: powershell.exe, 00000000.00000002.1937776158.000002D8A2226000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089 source: powershell.exe, 00000000.00000002.1937776158.000002D8A226F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000000.00000002.1935896996.000002D8A20C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb7 source: powershell.exe, 00000000.00000002.1935896996.000002D8A213B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1935896996.000002D8A20C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1937776158.000002D8A22B9000.00000004.00000020.00020000.00000000.sdmp

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2856654 - Severity 1 - ETPRO MALWARE TA582 CnC Checkin : 192.168.2.4:49730 -> 206.188.196.37:80

Queries Google from non browser process on port 80

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

HTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.google.com Connection: Keep-Alive

Source: Joe Sandbox View

IP Address: 206.188.196.37 206.188.196.37

Source: Joe Sandbox View

ASN Name: DEFENSE-NETUS DEFENSE-NETUS

Source: global traffic	HTTP traffic detected: GET /eisn5g1lwjhtr.php?id=user-PC&key=111095586772&s=mints13 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: danknlmmaahlimg.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /eisn5g1lwjhtr.php?id=user-PC&key=111095586772&s=mints13 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: danknlmmaahlimg.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive

Source: powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: *href=https://www.youtube.com/?tab=w1><spanX equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: danknlmmaahlimg.top
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: powershell.exe, 00000000.00000002.1885846907.000002D889F48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88B13B000.00000004.00000800.00020000.00000000.sdmp, 2stage.ps1	String found in binary or memory: http://$fz6258ikejydvr9/$1pjduqg5e6wlfi4.php?id=$env:computername&key=$zqphcmeybxj&s=mints13
Source: powershell.exe, 00000000.00000002.1885846907.000002D88B45A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://0.google.
Source: powershell.exe, 00000000.00000002.1885846907.000002D88B45A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://0.google.com/
Source: powershell.exe, 00000000.00000002.1935776197.000002D8A1FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000000.00000002.1885846907.000002D88B3D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88B13B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://danknlmmaahlimg.top
Source: powershell.exe, 00000000.00000002.1885846907.000002D88B13B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://danknlmmaahlimg.top/eisn5g1lwjhtr.php?id=user-PC&key=111095586772&s=mints13
Source: powershell.exe, 00000000.00000002.1885846907.000002D88B3F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://maps.google.com/maps?hl=en&tab=wl
Source: powershell.exe, 00000000.00000002.1921209147.000002D899D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1885846907.000002D889F48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1885846907.000002D88B45A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1921209147.000002D89A028000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88C306000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88BFF5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88C300000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88C266000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88BFE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88C30B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88C329000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88BFF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88C320000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schema.org/WebPage
Source: powershell.exe, 00000000.00000002.1885846907.000002D88B45A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schema.org/WebPageX
Source: powershell.exe, 00000000.00000002.1935896996.000002D8A213B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micrf0
Source: powershell.exe, 00000000.00000002.1885846907.000002D889F48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.1885846907.000002D889D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1885846907.000002D889F48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.1885846907.000002D889F48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.blogger.com/?tab=wj
Source: powershell.exe, 00000000.00000002.1885846907.000002D88B3F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88B3E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88B3D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com
Source: powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/history/optout?hl=en
Source: powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/mobile/?hl=en&tab=wD
Source: powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/preferences?hl=enX
Source: powershell.exe, 00000000.00000002.1935896996.000002D8A213B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.coC
Source: powershell.exe, 00000000.00000002.1935896996.000002D8A213B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.s
Source: powershell.exe, 00000000.00000002.1885846907.000002D88B45A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://0.google
Source: powershell.exe, 00000000.00000002.1885846907.000002D88B45A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://0.google.com/
Source: powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAA
Source: powershell.exe, 00000000.00000002.1885846907.000002D889D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.1885846907.000002D88B3F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1921209147.000002D899D91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88B615000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88B45A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1921209147.000002D89A028000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://books.google.com/?hl=en&tab=wp
Source: powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com/calendar?tab=wc
Source: powershell.exe, 00000000.00000002.1921209147.000002D899D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1921209147.000002D899D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1921209147.000002D899D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1921209147.000002D899D91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88B3E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88B45A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1921209147.000002D89A028000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/?usp=docs_alc
Source: powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?tab=wo
Source: powershell.exe, 00000000.00000002.1885846907.000002D889F48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1921209147.000002D89A028000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
Source: powershell.exe, 00000000.00000002.1885846907.000002D88B615000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24X
Source: powershell.exe, 00000000.00000002.1885846907.000002D88B3F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1921209147.000002D899D91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88B45A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1921209147.000002D89A028000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
Source: powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96X
Source: powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://news.google.com/?tab=wn
Source: powershell.exe, 00000000.00000002.1921209147.000002D899D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com/?tab=wq&pageId=none
Source: powershell.exe, 00000000.00000002.1885846907.000002D88B3F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://play.google.com/?hl=en&tab=w8
Source: powershell.exe, 00000000.00000002.1885846907.000002D88B51F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/
Source: powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://translate.google.com/?hl=en&tab=wT
Source: powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/finance?tab=we
Source: powershell.exe, 00000000.00000002.1885846907.000002D88B3F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=wi
Source: powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=whX
Source: powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/shopping?hl=en&source=og&tab=wf
Source: powershell.exe, 00000000.00000002.1885846907.000002D88B3F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/webhp?tab=ww
Source: powershell.exe, 00000000.00000002.1885846907.000002D88B615000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88B45A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1921209147.000002D89A028000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: powershell.exe, 00000000.00000002.1885846907.000002D88B615000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.comX
Source: powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?tab=w1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9BAA48D6	0_2_00007FFD9BAA48D6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9BAA5682	0_2_00007FFD9BAA5682
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9BAA625D	0_2_00007FFD9BAA625D

Source: classification engine

Classification label: mal68.evad.winPS1@2/8@2/2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:344:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r3c1lxkk.btu.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2stage.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1934617561.000002D8A1E30000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.1937776158.000002D8A2226000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.1935896996.000002D8A20C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1935896996.000002D8A20C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb%{" source: powershell.exe, 00000000.00000002.1937776158.000002D8A2226000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089 source: powershell.exe, 00000000.00000002.1937776158.000002D8A226F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000000.00000002.1935896996.000002D8A20C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb7 source: powershell.exe, 00000000.00000002.1935896996.000002D8A213B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1935896996.000002D8A20C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1937776158.000002D8A22B9000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B97D2A5 pushad ; iretd	0_2_00007FFD9B97D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9BAA61ED push E95F4EE6h; ret	0_2_00007FFD9BAA6209
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9BAA8167 push ebx; ret	0_2_00007FFD9BAA816A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9BA900BD pushad ; iretd	0_2_00007FFD9BA900C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9BAA7678 push E95CC82Eh; ret	0_2_00007FFD9BAA7699
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9BA99ED3 push FFFFFFE8h; retf	0_2_00007FFD9BA99EF1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9BB6CAB4 pushad ; retf 0000h	0_2_00007FFD9BB6CAB5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9BCB1E28 push ds; retf	0_2_00007FFD9BCB1E32
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9BCB9BE5 pushfd ; retf	0_2_00007FFD9BCB9C42
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9BCB069D push es; retf	0_2_00007FFD9BCB06B2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9BCB60A1 pushad ; retf	0_2_00007FFD9BCB60A2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9BCB166D push ss; retf	0_2_00007FFD9BCB1682
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9BCB5296 push edx; retf	0_2_00007FFD9BCB52F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9BCB509A push eax; retf	0_2_00007FFD9BCB50F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9BCB1E93 push ds; retf	0_2_00007FFD9BCB1EF2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9BCB5491 push esp; retf	0_2_00007FFD9BCB5492

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5422			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4403			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5436

Thread sleep time: -8301034833169293s >= -30000s

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: powershell.exe, 00000000.00000002.1885846907.000002D88A319000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: IsVirtualMachine`SJ
Source: powershell.exe, 00000000.00000002.1885846907.000002D88AA07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: powershell.exe, 00000000.00000002.1885846907.000002D88AA07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: powershell.exe, 00000000.00000002.1885846907.000002D88A319000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.1885846907.000002D88AA07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "VMware"
Source: powershell.exe, 00000000.00000002.1885846907.000002D88AA07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-US:VMware
Source: powershell.exe, 00000000.00000002.1937776158.000002D8A226F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RA
Source: powershell.exe, 00000000.00000002.1885846907.000002D88AA07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware`SJ
Source: powershell.exe, 00000000.00000002.1885846907.000002D88AA07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: powershell.exe, 00000000.00000002.1885846907.000002D88A319000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.1885846907.000002D88A319000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "IsVirtualMachine"
Source: powershell.exe, 00000000.00000002.1885846907.000002D88AA07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware8
Source: powershell.exe, 00000000.00000002.1937776158.000002D8A226F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll33

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 0_2_00007FFD9BCB6EF1 cpuid

0_2_00007FFD9BCB6EF1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	121 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	121 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	21 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
2stage.ps1	11%	ReversingLabs	Win32.Trojan.Pantera

Source	Detection	Scanner	Label
http://schemas.micrf0	0%	Avira URL Cloud	safe
http://$fz6258ikejydvr9/$1pjduqg5e6wlfi4.php?id=$env:computername&key=$zqphcmeybxj&s=mints13	0%	Avira URL Cloud	safe
http://www.microsoft.s	0%	Avira URL Cloud	safe
http://danknlmmaahlimg.top/eisn5g1lwjhtr.php?id=user-PC&key=111095586772&s=mints13	0%	Avira URL Cloud	safe
http://www.microsoft.coC	0%	Avira URL Cloud	safe
http://danknlmmaahlimg.top	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
danknlmmaahlimg.top	206.188.196.37	true	true		unknown
www.google.com	142.250.186.164	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://danknlmmaahlimg.top/eisn5g1lwjhtr.php?id=user-PC&key=111095586772&s=mints13	true	Avira URL Cloud: safe	unknown
http://www.google.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.microsoft	powershell.exe, 00000000.00000002.1935776197.000002D8A1FC0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://photos.google.com/?tab=wq&pageId=none	powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.google.com/preferences?hl=enX	powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	false		high
https://csp.withgoogle.com/csp/gws/other-hp	powershell.exe, 00000000.00000002.1921209147.000002D899D91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88B3E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88B45A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1921209147.000002D89A028000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.micrf0	powershell.exe, 00000000.00000002.1935896996.000002D8A213B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000000.00000002.1921209147.000002D899D91000.00000004.00000800.00020000.00000000.sdmp	false		high
https://news.google.com/?tab=wn	powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/document/?usp=docs_alc	powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schema.org/WebPage	powershell.exe, 00000000.00000002.1885846907.000002D88B45A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1921209147.000002D89A028000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88C306000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88BFF5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88C300000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88C266000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88BFE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88C30B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88C329000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88BFF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88C320000.00000004.00000800.00020000.00000000.sdmp	false		high
https://0.google.com/	powershell.exe, 00000000.00000002.1885846907.000002D88B45A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/webhp?tab=ww	powershell.exe, 00000000.00000002.1885846907.000002D88B3F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.coC	powershell.exe, 00000000.00000002.1935896996.000002D8A213B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schema.org/WebPageX	powershell.exe, 00000000.00000002.1885846907.000002D88B45A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000000.00000002.1921209147.000002D899D91000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.1921209147.000002D899D91000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/finance?tab=we	powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	false		high
http://maps.google.com/maps?hl=en&tab=wl	powershell.exe, 00000000.00000002.1885846907.000002D88B3F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.google.com	powershell.exe, 00000000.00000002.1885846907.000002D88B3F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88B3E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88B3D6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://apis.google.com	powershell.exe, 00000000.00000002.1885846907.000002D88B3F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1921209147.000002D899D91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88B615000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88B45A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1921209147.000002D89A028000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.1885846907.000002D889D21000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.blogger.com/?tab=wj	powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.google.com/mobile/?hl=en&tab=wD	powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	false		high
http://$fz6258ikejydvr9/$1pjduqg5e6wlfi4.php?id=$env:computername&key=$zqphcmeybxj&s=mints13	powershell.exe, 00000000.00000002.1885846907.000002D889F48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88B13B000.00000004.00000800.00020000.00000000.sdmp, 2stage.ps1	false	Avira URL Cloud: safe	unknown
https://play.google.com/?hl=en&tab=w8	powershell.exe, 00000000.00000002.1885846907.000002D88B3F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.1921209147.000002D899D91000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/imghp?hl=en&tab=wi	powershell.exe, 00000000.00000002.1885846907.000002D88B3F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/shopping?hl=en&source=og&tab=wf	powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lh3.googleusercontent.com/ogw/default-user=s96	powershell.exe, 00000000.00000002.1885846907.000002D88B3F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1921209147.000002D899D91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88B45A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1921209147.000002D89A028000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.s	powershell.exe, 00000000.00000002.1935896996.000002D8A213B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.1885846907.000002D889F48000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000000.00000002.1885846907.000002D889F48000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.1885846907.000002D889F48000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/?tab=wo	powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000000.00000002.1921209147.000002D899D91000.00000004.00000800.00020000.00000000.sdmp	false		high
https://0.google	powershell.exe, 00000000.00000002.1885846907.000002D88B45A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mail.google.com/mail/?tab=wm	powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.1885846907.000002D889F48000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/?tab=w1	powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	false		high
http://0.google.	powershell.exe, 00000000.00000002.1885846907.000002D88B45A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lh3.googleusercontent.com/ogw/default-user=s96X	powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	false		high
http://0.google.com/	powershell.exe, 00000000.00000002.1885846907.000002D88B45A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://danknlmmaahlimg.top	powershell.exe, 00000000.00000002.1885846907.000002D88B3D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1885846907.000002D88B13B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lh3.googleusercontent.com/ogw/default-user=s24	powershell.exe, 00000000.00000002.1921209147.000002D89A028000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.google.com/history/optout?hl=en	powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	false		high
https://books.google.com/?hl=en&tab=wp	powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	false		high
https://translate.google.com/?hl=en&tab=wT	powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000000.00000002.1885846907.000002D889F48000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/intl/en/about/products?tab=whX	powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	false		high
https://calendar.google.com/calendar?tab=wc	powershell.exe, 00000000.00000002.1885846907.000002D88BB38000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.1885846907.000002D889D21000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lh3.googleusercontent.com/ogw/default-user=s24X	powershell.exe, 00000000.00000002.1885846907.000002D88B615000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
206.188.196.37	danknlmmaahlimg.top	United States		55002	DEFENSE-NETUS	true
142.250.186.164	www.google.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1557817
Start date and time:	2024-11-18 16:52:50 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2stage.ps1
Detection:	MAL
Classification:	mal68.evad.winPS1@2/8@2/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 14 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .ps1

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 6816 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 2stage.ps1

Simulations

Behavior and APIs

Time	Type	Description
10:53:48	API Interceptor	56x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
206.188.196.37	_DRP12938938231_PDF.js	Get hash	malicious	Mint Stealer	Browse	gidcldeaccadneh.top/uyo2kijx89htr.php?id=computer&key=58597074642&s=mints21
	_DRP12938938231_PDF.js	Get hash	malicious	Mint Stealer	Browse	gidcldeaccadneh.top/q961kig3lwhtr.php?id=user-PC&key=111108474762&s=mints21
	ryOpDCeOHz.ps1	Get hash	malicious	Unknown	Browse	gidcldeaccadneh.top/hqr7nx0sg1htr.php?id=computer&key=50024904669&s=mints13
	ryOpDCeOHz.ps1	Get hash	malicious	Unknown	Browse	gidcldeaccadneh.top/kdv0uaf47hhtr.php?id=user-PC&key=111095586772&s=mints13
	Fdoze89ykv.js	Get hash	malicious	Mint Stealer	Browse	gidcldeaccadneh.top/d3q2k547nrhtr.php?id=computer&key=49178848774&s=mints21
	Fdoze89ykv.js	Get hash	malicious	Mint Stealer	Browse	gidcldeaccadneh.top/xuceh2n0lohtr.php?id=user-PC&key=57894837609&s=mints21
	Fattura05736577.vbs	Get hash	malicious	Unknown	Browse	gidcldeaccadneh.top/06c2d9sea1htr.php?id=computer&key=21152678751&s=mints13
	tibhzuygfuyz.ps1	Get hash	malicious	Unknown	Browse	gidcldeaccadneh.top/276lca0oqkhtr.php?id=computer&key=55933565450&s=mints13
	tibhzuygfuyz.ps1	Get hash	malicious	Unknown	Browse	gidcldeaccadneh.top/9mtlfardohhtr.php?id=user-PC&key=89774062466&s=mints13
	Fattura05736577.vbs	Get hash	malicious	Unknown	Browse	gidcldeaccadneh.top/5nyvigqht1htr.php?id=user-PC&key=79290330744&s=mints13

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
danknlmmaahlimg.top	I_ Ultima richiesta di pagamento finale per Cuzziol beverage s_r_l__.msg	Get hash	malicious	Mint Stealer	Browse	206.188.196.37

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DEFENSE-NETUS	I_ Ultima richiesta di pagamento finale per Cuzziol beverage s_r_l__.msg	Get hash	malicious	Mint Stealer	Browse	206.188.196.37
	_DRP12938938231_PDF.js	Get hash	malicious	Mint Stealer	Browse	206.188.196.37
	_DRP12938938231_PDF.js	Get hash	malicious	Mint Stealer	Browse	206.188.196.37
	ryOpDCeOHz.ps1	Get hash	malicious	Unknown	Browse	206.188.196.37
	ryOpDCeOHz.ps1	Get hash	malicious	Unknown	Browse	206.188.196.37
	Fdoze89ykv.js	Get hash	malicious	Mint Stealer	Browse	206.188.196.37
	Fdoze89ykv.js	Get hash	malicious	Mint Stealer	Browse	206.188.196.37
	Fattura05736577.vbs	Get hash	malicious	Unknown	Browse	206.188.196.37
	tibhzuygfuyz.ps1	Get hash	malicious	Unknown	Browse	206.188.196.37
	tibhzuygfuyz.ps1	Get hash	malicious	Unknown	Browse	206.188.196.37

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	19253
Entropy (8bit):	5.005753878328145
Encrypted:	false
SSDEEP:	384:hrib4ZmVoGIpN6KQkj2Fkjh4iUxDhQIeQo+OdBANXp5yvOjJlYoaYpib47:hLmV3IpNBQkj2Uh4iUxDhiQo+OdBANZD
MD5:	81D32E8AE893770C4DEA5135D1D8E78D
SHA1:	CA54EF62836AEEAEDC9F16FF80FD2950B53FBA0D
SHA-256:	6A8BCF8BC8383C0DCF9AECA9948D91FD622458ECF7AF745858D0B07EFA9DCF89
SHA-512:	FDF4BE11A2FC7837E03FBEFECCDD32E554950E8DF3F89E441C1A7B1BC7D8DA421CEA06ED3E2DE90DDC9DA3E60166BA8C2262AFF30C3A7FFDE953BA17AE48BF9A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1628158735648508
Encrypted:	false
SSDEEP:	3:Nlllul5mxllp:NllU4x/
MD5:	3A925CB766CE4286E251C26E90B55CE8
SHA1:	3FA8EE6E901101A4661723B94D6C9309E281BD28
SHA-256:	4E844662CDFFAAD50BA6320DC598EBE0A31619439D0F6AB379DF978FE81C7BF8
SHA-512:	F348B4AFD42C262BBED07D6BDEA6EE4B7F5CFA2E18BFA725225584E93251188D9787506C2AFEAC482B606B1EA0341419F229A69FF1E9100B01DE42025F915788
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_14o32xcb.rti.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4hsekni2.3cf.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_igjciuoy.srr.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r3c1lxkk.btu.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.7314032587767323
Encrypted:	false
SSDEEP:	96:qslT33CxHllkvhkvCCt+lSc4KHHlSc4TH1:qQTyFRmSGS3
MD5:	E5F461D56C8CCCF44A898753E90FBD23
SHA1:	93776393F346AFAC9D3C9F2E097C4CA2E3715A45
SHA-256:	F569F2ACBBBBC79345731B327DD993BCAD1399DE7E83B73B89D9C728CB4E9DA5
SHA-512:	1F67E7DEE2E0C26152CE30006B3E793674B0DDD963E9C2976906BDB897B5C9CB6D526E1F7CFFC730F6FFCAD96FD6886FDD4E5E21DD525C79E32E1623DA5D50DC
Malicious:	false
Preview:	...................................FL..................F.".. ...-/.v.........9..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.........9...?...9......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^rY.~...........................%..A.p.p.D.a.t.a...B.V.1.....rY.~..Roaming.@......CW.^rY.~..........................W..R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^DW.`..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWR`..Windows.@......CW.^DWR`..........................cY..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^rY.~....Q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WVO38SLXU0V5GXRWCWUN.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.7314032587767323
Encrypted:	false
SSDEEP:	96:qslT33CxHllkvhkvCCt+lSc4KHHlSc4TH1:qQTyFRmSGS3
MD5:	E5F461D56C8CCCF44A898753E90FBD23
SHA1:	93776393F346AFAC9D3C9F2E097C4CA2E3715A45
SHA-256:	F569F2ACBBBBC79345731B327DD993BCAD1399DE7E83B73B89D9C728CB4E9DA5
SHA-512:	1F67E7DEE2E0C26152CE30006B3E793674B0DDD963E9C2976906BDB897B5C9CB6D526E1F7CFFC730F6FFCAD96FD6886FDD4E5E21DD525C79E32E1623DA5D50DC
Malicious:	false
Preview:	...................................FL..................F.".. ...-/.v.........9..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.........9...?...9......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^rY.~...........................%..A.p.p.D.a.t.a...B.V.1.....rY.~..Roaming.@......CW.^rY.~..........................W..R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^DW.`..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWR`..Windows.@......CW.^DWR`..........................cY..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^rY.~....Q...........

Static File Info

General

File type:	ASCII text, with very long lines (2607), with CRLF line terminators
Entropy (8bit):	4.826758517421858
TrID:
File name:	2stage.ps1
File size:	16'843 bytes
MD5:	f65ba6b3d6b6e287d7123fb8211ec264
SHA1:	6b89bd7576b9e9905d964242942fa2a40cf5456b
SHA256:	12d5ec77e4e5cd9fde641f95126e174e82eaa273e2efdd6da78bce56fc7ba244
SHA512:	f811a08dd785cb8fa9792ea1303422c05bbd3afa90234f8919b41f074697acfe3904f99d1b4420c06da899215ff45bcf4cb799e48b95a4466fb0148840698980
SSDEEP:	384:i+IdlGbdK0ub8uMv/bWujjz1qm9sobMVTeiJJ6xcICDaQdLUITh2:i+sjNou+jn1qm95AeiecVZdYgh2
TLSH:	E272D9C2BB88EDE252CDC66EE506AC083BA5347ED157BFC4E5E0DB427191350AE4DD82
File Content Preview:	........$global:tzbxvwqiroam=$executioncontext;$bocygzipelw=(Get-MpComputerStatus).($global:tzbxvwqiroam.([system.String]::new(@((-9622+(13870702/(4744302/3327))),(8092-(38976106/(20376759/(8615-(1545816/348))))),(-7356+(5664+1810)),(-8452+8563),(2240-213

File Icon


Icon Hash:	3270d6baae77db44

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-18T16:54:01.304373+0100	2856654	ETPRO MALWARE TA582 CnC Checkin	1	192.168.2.4	49730	206.188.196.37	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 18, 2024 16:53:52.128424883 CET	49730	80	192.168.2.4	206.188.196.37
Nov 18, 2024 16:53:52.133382082 CET	80	49730	206.188.196.37	192.168.2.4
Nov 18, 2024 16:53:52.133462906 CET	49730	80	192.168.2.4	206.188.196.37
Nov 18, 2024 16:53:52.136615992 CET	49730	80	192.168.2.4	206.188.196.37
Nov 18, 2024 16:53:52.141696930 CET	80	49730	206.188.196.37	192.168.2.4
Nov 18, 2024 16:54:01.254705906 CET	80	49730	206.188.196.37	192.168.2.4
Nov 18, 2024 16:54:01.265678883 CET	49731	80	192.168.2.4	142.250.186.164
Nov 18, 2024 16:54:01.270615101 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:01.270699978 CET	49731	80	192.168.2.4	142.250.186.164
Nov 18, 2024 16:54:01.270864964 CET	49731	80	192.168.2.4	142.250.186.164
Nov 18, 2024 16:54:01.277347088 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:01.304373026 CET	49730	80	192.168.2.4	206.188.196.37
Nov 18, 2024 16:54:02.411170006 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.411196947 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.411209106 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.411256075 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.411282063 CET	49731	80	192.168.2.4	142.250.186.164
Nov 18, 2024 16:54:02.411309958 CET	49731	80	192.168.2.4	142.250.186.164
Nov 18, 2024 16:54:02.411324978 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.411427975 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.411439896 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.411451101 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.411463022 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.411503077 CET	49731	80	192.168.2.4	142.250.186.164
Nov 18, 2024 16:54:02.411571980 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.411906004 CET	49731	80	192.168.2.4	142.250.186.164
Nov 18, 2024 16:54:02.416241884 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.416316032 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.416327953 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.416358948 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.416393995 CET	49731	80	192.168.2.4	142.250.186.164
Nov 18, 2024 16:54:02.416434050 CET	49731	80	192.168.2.4	142.250.186.164
Nov 18, 2024 16:54:02.542685032 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.542809010 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.542819977 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.542831898 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.542907000 CET	49731	80	192.168.2.4	142.250.186.164
Nov 18, 2024 16:54:02.547507048 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.547518969 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.547532082 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.547585964 CET	49731	80	192.168.2.4	142.250.186.164
Nov 18, 2024 16:54:02.557190895 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.557245016 CET	49731	80	192.168.2.4	142.250.186.164
Nov 18, 2024 16:54:02.557286024 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.557296991 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.557308912 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.557332039 CET	49731	80	192.168.2.4	142.250.186.164
Nov 18, 2024 16:54:02.566732883 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.566755056 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.566768885 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.566797018 CET	49731	80	192.168.2.4	142.250.186.164
Nov 18, 2024 16:54:02.566822052 CET	49731	80	192.168.2.4	142.250.186.164
Nov 18, 2024 16:54:02.576281071 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.576406956 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.576416016 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.576421976 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.576493979 CET	49731	80	192.168.2.4	142.250.186.164
Nov 18, 2024 16:54:02.663476944 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.663521051 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.663532019 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.663775921 CET	49731	80	192.168.2.4	142.250.186.164
Nov 18, 2024 16:54:02.667984962 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.668040991 CET	49731	80	192.168.2.4	142.250.186.164
Nov 18, 2024 16:54:02.668067932 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.668078899 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.668088913 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.668116093 CET	49731	80	192.168.2.4	142.250.186.164
Nov 18, 2024 16:54:02.678184986 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.678246021 CET	49731	80	192.168.2.4	142.250.186.164
Nov 18, 2024 16:54:02.678258896 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.678271055 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.678314924 CET	49731	80	192.168.2.4	142.250.186.164
Nov 18, 2024 16:54:02.687261105 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.687285900 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.687297106 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.687366962 CET	49731	80	192.168.2.4	142.250.186.164
Nov 18, 2024 16:54:02.697151899 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.697179079 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.697191954 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.697231054 CET	49731	80	192.168.2.4	142.250.186.164
Nov 18, 2024 16:54:02.697244883 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.697259903 CET	49731	80	192.168.2.4	142.250.186.164
Nov 18, 2024 16:54:02.741754055 CET	49731	80	192.168.2.4	142.250.186.164
Nov 18, 2024 16:54:02.784394979 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.784426928 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.784439087 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.784621954 CET	49731	80	192.168.2.4	142.250.186.164
Nov 18, 2024 16:54:02.788805962 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.788841963 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.788853884 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.788949966 CET	49731	80	192.168.2.4	142.250.186.164
Nov 18, 2024 16:54:02.799083948 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.799118996 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.799132109 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.799175978 CET	49731	80	192.168.2.4	142.250.186.164
Nov 18, 2024 16:54:02.808043957 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.808063030 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.808074951 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.808151007 CET	49731	80	192.168.2.4	142.250.186.164
Nov 18, 2024 16:54:02.817706108 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.817724943 CET	80	49731	142.250.186.164	192.168.2.4
Nov 18, 2024 16:54:02.817787886 CET	49731	80	192.168.2.4	142.250.186.164
Nov 18, 2024 16:54:03.173137903 CET	49730	80	192.168.2.4	206.188.196.37
Nov 18, 2024 16:54:03.173192024 CET	49731	80	192.168.2.4	142.250.186.164

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 18, 2024 16:53:51.725749016 CET	51391	53	192.168.2.4	1.1.1.1
Nov 18, 2024 16:53:52.116076946 CET	53	51391	1.1.1.1	192.168.2.4
Nov 18, 2024 16:54:01.256186962 CET	51562	53	192.168.2.4	1.1.1.1
Nov 18, 2024 16:54:01.263262987 CET	53	51562	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 18, 2024 16:53:51.725749016 CET	192.168.2.4	1.1.1.1	0x2137	Standard query (0)	danknlmmaahlimg.top	A (IP address)	IN (0x0001)	false
Nov 18, 2024 16:54:01.256186962 CET	192.168.2.4	1.1.1.1	0xdb87	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 18, 2024 16:53:52.116076946 CET	1.1.1.1	192.168.2.4	0x2137	No error (0)	danknlmmaahlimg.top		206.188.196.37	A (IP address)	IN (0x0001)	false
Nov 18, 2024 16:54:01.263262987 CET	1.1.1.1	192.168.2.4	0xdb87	No error (0)	www.google.com		142.250.186.164	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

danknlmmaahlimg.top

www.google.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	206.188.196.37	80	6816	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 16:53:52.136615992 CET	220	OUT	GET /eisn5g1lwjhtr.php?id=user-PC&key=111095586772&s=mints13 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: danknlmmaahlimg.top Connection: Keep-Alive
Nov 18, 2024 16:54:01.254705906 CET	166	IN	HTTP/1.1 302 Found Server: nginx/1.18.0 (Ubuntu) Date: Mon, 18 Nov 2024 15:54:01 GMT Content-Length: 0 Connection: keep-alive Location: http://www.google.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	142.250.186.164	80	6816	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 16:54:01.270864964 CET	159	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.google.com Connection: Keep-Alive
Nov 18, 2024 16:54:02.411170006 CET	1236	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 15:54:02 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=UTF-8 Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-41xXULeNEhyYwAC-k-rvDQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: AEC=AZ6Zc-UDbwBT1DuyF9l9t5vMQ2A954HenHpSRboUPJ1BTwxtrBPt2IVX-p4; expires=Sat, 17-May-2025 15:54:02 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax Set-Cookie: NID=519=du3OhQ8q9g9Q3qFH9vSsx5MF5r-x4q86xegiSsVwHDOzBWgnurxdhTrPqC_uu2Sik_BNPoLlQ5dw2f_TlHxEhPOZv4LWVWzmVk0imy9shenHRDkzQtq9ROv7p4Qs3Vnnk0NqPfdPvzfhoMuEz3pWVAdUzLH8SrzClWFxyzAXXw0hBzHql-ux4OZH4rvi4z0DPmC6mquV; expires=Tue, 20-May-2025 15:54:02 GMT; path=/; domain=.google.com; HttpOnly Accept-Ranges: none Vary: Accept-Encoding Transfer-Encoding: chunked Data Raw: 34 35 64 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 2c 20 Data Ascii: 45dd<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images,
Nov 18, 2024 16:54:02.411196947 CET	1236	IN	Data Raw: 76 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79 6f Data Ascii: videos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/im
Nov 18, 2024 16:54:02.411209106 CET	1236	IN	Data Raw: 33 39 2c 31 35 30 37 2c 32 33 34 2c 37 2c 34 35 36 2c 35 38 2c 33 35 34 2c 31 30 34 37 2c 32 32 30 38 2c 38 34 30 2c 38 31 30 2c 31 34 31 33 2c 31 32 31 39 2c 31 2c 31 33 35 39 2c 31 37 38 30 2c 33 30 32 2c 33 31 34 2c 34 2c 32 2c 38 32 34 2c 39 Data Ascii: 39,1507,234,7,456,58,354,1047,2208,840,810,1413,1219,1,1359,1780,302,314,4,2,824,9,712,6,2,183,343,2,1239,1024,1888,7,4,383,1400,401,1,3,387,2,455,97,515,329,42,143,370,95,620,294,440,178,471,109,536,134,126,35,463,461,1460,583,1381,1416,939,3
Nov 18, 2024 16:54:02.411256075 CET	636	IN	Data Raw: 72 65 6e 74 4e 6f 64 65 3b 72 65 74 75 72 6e 20 62 7d 66 75 6e 63 74 69 6f 6e 20 72 28 61 29 7b 2f 5e 68 74 74 70 3a 2f 69 2e 74 65 73 74 28 61 29 26 26 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 3d 3d 3d 22 68 74 74 Data Ascii: rentNode;return b}function r(a){/^http:/i.test(a)&&window.location.protocol==="https:"&&(google.ml&&google.ml(Error("a"),!1,{src:a,glmm:1}),a="");return a}function t(a,b,c,d,k){var e="";b.search("&ei=")===-1&&(e="&ei="+p(d),b.search("&lei=")=
Nov 18, 2024 16:54:02.411324978 CET	1236	IN	Data Raw: 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 6e 75 6c 6c 7d 3b 67 6f 6f 67 6c 65 2e 6c 6f 67 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 64 2c 6b 2c 65 29 7b 65 3d 65 3d 3d 3d 76 6f 69 64 20 30 3f 6c 3a 65 3b 63 7c 7c 28 63 3d 74 28 Data Ascii: function(){return null};google.log=function(a,b,c,d,k,e){e=e===void 0?l:e;c\|\|(c=t(a,b,e,d,k));if(c=r(c)){a=new Image;var g=n.length;n[g]=a;a.onerror=a.onload=a.onabort=function(){delete n[g]};a.src=c}};google.logUrl=function(a,b){b=b===void 0?
Nov 18, 2024 16:54:02.411427975 CET	212	IN	Data Raw: 72 28 61 3d 62 2e 74 61 72 67 65 74 3b 61 26 26 61 21 3d 3d 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 3b 61 3d 61 2e 70 61 72 65 6e 74 45 6c 65 6d 65 6e 74 29 69 66 28 61 2e 74 61 67 4e 61 6d 65 3d 3d 3d 22 41 22 29 Data Ascii: r(a=b.target;a&&a!==document.documentElement;a=a.parentElement)if(a.tagName==="A"){a=a.getAttribute("data-nohref")==="1";break a}a=!1}a&&b.preventDefault()},!0);}).call(this);</script><style>#gb{font:13px/27px Ar
Nov 18, 2024 16:54:02.411439896 CET	1236	IN	Data Raw: 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 68 65 69 67 68 74 3a 33 30 70 78 7d 23 67 62 7a 2c 23 67 62 67 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 6e 6f 77 72 61 70 3b 74 6f 70 3a 30 3b 68 65 Data Ascii: ial,sans-serif;height:30px}#gbz,#gbg{position:absolute;white-space:nowrap;top:0;height:30px;z-index:1000}#gbz{left:0;padding-left:4px}#gbg{right:0;padding-right:5px}#gbs{background:transparent;position:absolute;top:-999px;visibility:hidden;z-i
Nov 18, 2024 16:54:02.411451101 CET	1236	IN	Data Raw: 7d 2e 67 62 78 6d 73 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 63 63 63 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 7a 2d 69 6e 64 65 78 3a 31 3b 74 6f 70 3a 2d 31 70 78 3b 6c Data Ascii: }.gbxms{background-color:#ccc;display:block;position:absolute;z-index:1;top:-1px;left:-2px;right:-2px;bottom:-2px;opacity:.4;-moz-border-radius:3px;filter:progid:DXImageTransform.Microsoft.Blur(pixelradius=5);opacity:1;top:-2px;left:-5px;r
Nov 18, 2024 16:54:02.411463022 CET	1236	IN	Data Raw: 62 6f 72 64 65 72 2d 72 69 67 68 74 3a 31 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 70 61 64 64 69 6e 67 3a 30 20 35 Data Ascii: border-right:1px solid transparent;display:block;display:inline-block;padding:0 5px;position:relative;z-index:1000}.gbts{display:inline}.gbzt .gbts{display:inline;zoom:1}.gbto .gbts{background:#fff;border-color:#bebebe;color:#36c;padding-bot
Nov 18, 2024 16:54:02.411571980 CET	636	IN	Data Raw: 20 30 7d 2e 67 62 74 6f 20 2e 67 62 67 34 61 20 2e 67 62 74 73 7b 70 61 64 64 69 6e 67 3a 32 39 70 78 20 35 70 78 20 31 70 78 3b 2a 70 61 64 64 69 6e 67 3a 32 37 70 78 20 35 70 78 20 31 70 78 7d 23 67 62 69 34 69 2c 23 67 62 69 34 69 64 7b 6c 65 Data Ascii: 0}.gbto .gbg4a .gbts{padding:29px 5px 1px;*padding:27px 5px 1px}#gbi4i,#gbi4id{left:5px;border:0;height:24px;position:absolute;top:1px;width:24px}.gbto #gbi4i,.gbto #gbi4id{top:3px}.gbi4p{display:block;width:24px}#gbi4id{background-position:-
Nov 18, 2024 16:54:02.416241884 CET	1236	IN	Data Raw: 61 67 65 73 2f 62 5f 38 64 35 61 66 63 30 39 2e 70 6e 67 29 3b 5f 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 68 74 74 70 73 3a 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 69 6d 61 67 65 73 2f 62 38 5f 33 36 31 35 64 36 34 64 Data Ascii: ages/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/b8_3615d64d.png);background-position:0 0;display:block;font-size:0;height:17px;width:16px}.gbto #gbi5{background-position:-6px -22px}.gbn .gbmt,.gbn .gbmt:visited,.gbnd .gb

Target ID:	0
Start time:	10:53:45
Start date:	18/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2stage.ps1"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:53:45
Start date:	18/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FFD9BAA48D6 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1939555634.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f89c5bfd024cd0f871cd00506677a320d8b01fb6170a412f26ea3fe8f8c298a
Instruction ID: 845c1330f7cd849c7fa463fb0f99425a7c71107351cf8ab61d3b2d3a1efedb9b
Opcode Fuzzy Hash: 2f89c5bfd024cd0f871cd00506677a320d8b01fb6170a412f26ea3fe8f8c298a
Instruction Fuzzy Hash: 58F1B530A09A4D8FEBA8DF28C8557E977D1FF58310F04426EE84DC72A5DF74A9458B82

Function 00007FFD9BAA5682 Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1939555634.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a405acd559c4dabd737a6342d3f652c192fb19529977461d0df05dd331ce69c
Instruction ID: d7d7f4c039ec98258afdecd86f1433bc6e604004a2e998b04db73076beb66e34
Opcode Fuzzy Hash: 8a405acd559c4dabd737a6342d3f652c192fb19529977461d0df05dd331ce69c
Instruction Fuzzy Hash: 38E1A630A09A4D8FEBA8DF68C8657E977D2FF58310F04426EE84DC7295DF78A5448B81

Function 00007FFD9BA9447C Relevance: 1.6, Strings: 1, Instructions: 368COMMON

Download Yara Rule

Strings

]]_H, xrefs: 00007FFD9BA944E0

Memory Dump Source

Source File: 00000000.00000002.1939555634.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba90000_powershell.jbxd

Similarity

API ID:
String ID: ]]_H
API String ID: 0-962805177
Opcode ID: 193d572c4d44e81dc021b2547270b91cc8cc4957d2d3dbdbfd97ae791e907587
Instruction ID: ab2d48b5dd066819d8cfa2bbefe14a73329be4d764fbcffbbe04ec08ff7800b0
Opcode Fuzzy Hash: 193d572c4d44e81dc021b2547270b91cc8cc4957d2d3dbdbfd97ae791e907587
Instruction Fuzzy Hash: CEC17F31A1894D8FDFA8DF9CC4A5AA977E1FFA8310F154269D40DD72A5CE74E881CB80

Function 00007FFD9BCB9C44 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1942966871.00007FFD9BCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BCB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bcb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51a6199c67d656c59ba995093bbbda1d699637da57a67f45c9a05834435a1d96
Instruction ID: c831cec4eb3efe95ffbe645eb0d88d59e0d797c76d73fb90d007412ec25af6f7
Opcode Fuzzy Hash: 51a6199c67d656c59ba995093bbbda1d699637da57a67f45c9a05834435a1d96
Instruction Fuzzy Hash: 98C15632B0FA9E0FEBA5ABB848695BD7BD1EF55310B0901BED05DC70E3D958A814CB41

Function 00007FFD9BAA5296 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1939555634.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b2135f95f1d171affef446b10920d6ef9d8fa637941d3a901ae4a52f27569fd
Instruction ID: 098becbd0c052da16150293b3e892636608d9f058e683811dbf3a793024e3afa
Opcode Fuzzy Hash: 7b2135f95f1d171affef446b10920d6ef9d8fa637941d3a901ae4a52f27569fd
Instruction Fuzzy Hash: F7B1E63060DA4D4FEB69DF28C8667E93BD1FF55310F04426EE84DC7296CA74A945CB82

Function 00007FFD9BA9DCB0 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1939555634.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfb727acb3a10f83a373acb82a338a0368c87b555431104ed7ce912b83529d0
Instruction ID: d701bc06c39c3ea9a551d8388ea68246ebc50307352b6e29da2645420ccdead9
Opcode Fuzzy Hash: 6bfb727acb3a10f83a373acb82a338a0368c87b555431104ed7ce912b83529d0
Instruction Fuzzy Hash: F1413C71A0DA8D4BEB289B6C98255B87BE0EF55310F04417FE49DC3293DEA4B99187C2

Function 00007FFD9BA9DE05 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1939555634.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e446376641a628f9e65f0d8b3ca2a1d006006e22b5fbb7e7c0323495f411320
Instruction ID: e04f92036ab23e95548044f4d6f69f62e404290fa8fc51b2a023dbbe5c8b5d8d
Opcode Fuzzy Hash: 3e446376641a628f9e65f0d8b3ca2a1d006006e22b5fbb7e7c0323495f411320
Instruction Fuzzy Hash: 96410931A0CB4C8FD71C9B9CA8466F8BBE0FB96325F00422FD08983552CBB56456CB86

Function 00007FFD9BA9E5A8 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1939555634.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 352b824405060104ba0ad47b5a616f5ca45b2b6a2ed8c08741383acadd423090
Instruction ID: 3e2f1ec4128019ee0646288fd89ad3606c1d81882c4247ad7e4024b3a4d66cad
Opcode Fuzzy Hash: 352b824405060104ba0ad47b5a616f5ca45b2b6a2ed8c08741383acadd423090
Instruction Fuzzy Hash: 9B310431A0C64C8EEB58DF9C984A7E97BE0EB56331F04816BD448C7166D774A41ACB92

Function 00007FFD9B97E540 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1938964571.00007FFD9B97D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B97D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b97d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c451a97bcc0b7e165fc532e7c7e689d9521d2c50f0f8a99d4566aea889763387
Instruction ID: 4aa93c31c2d99e684bc82b37c964ddee92163cdd3462a1f26b81e9a95ea67f04
Opcode Fuzzy Hash: c451a97bcc0b7e165fc532e7c7e689d9521d2c50f0f8a99d4566aea889763387
Instruction Fuzzy Hash: 5441263041EFC85FE7568B3898919523FF0EF56320B1A05DFD088CB1A7D629A84AC792

Function 00007FFD9BAA4D94 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1939555634.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1af56a07511e65eaf6d199f1d2a17a48a049f85473104ce97f8cb21b4ab77933
Instruction ID: e4b71a8c7a06611a92b41a3f8f4cd11885a8a8db5f03f8d15d1afe67e5de0046
Opcode Fuzzy Hash: 1af56a07511e65eaf6d199f1d2a17a48a049f85473104ce97f8cb21b4ab77933
Instruction Fuzzy Hash: 0031FE30A1A65D8EFBB49F58CC66BF93291FF41319F41413DE40D860A2DE786B45CA51

Function 00007FFD9BA98D05 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1939555634.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d756fe99393b4bb31d90255be7b61f8b530aef642d544dee69d59cc049e95c19
Instruction ID: 004a5fc33be925912f63edd68d3db8298e79f5cd61ce3ce38b5d2c94bb653d68
Opcode Fuzzy Hash: d756fe99393b4bb31d90255be7b61f8b530aef642d544dee69d59cc049e95c19
Instruction Fuzzy Hash: BF01677121CB0C4FD748EF0CE491AA5B7E0FF95364F10056DE58AC76A5D636E881CB45

Function 00007FFD9BCD2BA2 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1943363597.00007FFD9BCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BCD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bcd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a0cf0a0bf3441ff069aa187093d93e52d778cd743f1d0796ac57fb1da21671
Instruction ID: 53577a71bc79ba8af90b5bb8e38a234a72179e27fe5c5089561ae26643698c28
Opcode Fuzzy Hash: c6a0cf0a0bf3441ff069aa187093d93e52d778cd743f1d0796ac57fb1da21671
Instruction Fuzzy Hash: 74F03032B0D5494FD769EA9CE4918E873E0EF4532071501FAE15ECB5A7DA26AC418B41

Function 00007FFD9BA9DFE0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1939555634.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27852c460565c1486305f85fd263345d90bcc6cdcef2ee086ea02e4db39c1a6e
Instruction ID: 4f89c9ad20401e7bcd0912c16bdd4be876c6ac1af4067d99beb46a5754984ebc
Opcode Fuzzy Hash: 27852c460565c1486305f85fd263345d90bcc6cdcef2ee086ea02e4db39c1a6e
Instruction Fuzzy Hash: 89F0BB7180868D4FDB55DF68881A5D57FA0FF26350B0502DBE458C71B1DB64A558C7C2

Function 00007FFD9BCD44F4 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1943363597.00007FFD9BCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BCD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bcd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e2969b5b0c1d0dd5a75814e7f401871f9e63742175cb113500aa349fe8547b5
Instruction ID: a3157e0a936342a1861c2ff1ceba8068fda2fd276c7f88f457b7a7578a2f98b7
Opcode Fuzzy Hash: 9e2969b5b0c1d0dd5a75814e7f401871f9e63742175cb113500aa349fe8547b5
Instruction Fuzzy Hash: 09F0A73131CF044FD744EE1DD445661B3D0FBA8314F10452FE449C3655DA21E8818782

Non-executed Functions

Function 00007FFD9BAA625D Relevance: .8, Instructions: 820COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1939555634.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8473bc5fa13f998b28c4e218b65293daf04f16147b02c9646ace4e79c52a0c4
Instruction ID: d53bb66c91367edaf83556b7441993c0969216eaa2f2a8ef65571a32f7dfd6fc
Opcode Fuzzy Hash: e8473bc5fa13f998b28c4e218b65293daf04f16147b02c9646ace4e79c52a0c4
Instruction Fuzzy Hash: B7328972F0EA4E4FEB65DF9C88615E97BA2FF55310F0601B7D048C71A2D964B846CBA0

Function 00007FFD9BCB6EF1 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1942966871.00007FFD9BCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BCB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bcb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df6d37ac6b36947b49e4989e788348681e9b407c6f902e85bf581cb7456b5be5
Instruction ID: 2ebe7364541e11598ae43c3829c2c2fb268cc3166f8ea58b930e177fc5301ad1
Opcode Fuzzy Hash: df6d37ac6b36947b49e4989e788348681e9b407c6f902e85bf581cb7456b5be5
Instruction Fuzzy Hash: C7119A4164F7D60FD7A387B898316587FA08F4316070A45F7E188CB0E3D808AD6AC756

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2stage.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_14o32xcb.rti.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4hsekni2.3cf.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_igjciuoy.srr.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r3c1lxkk.btu.ps1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WVO38SLXU0V5GXRWCWUN.temp

Static File Info

General

File Icon

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
2stage.ps1